RE: Mac OS X v10.0.x J2SE v1.3 clipboard tapping vulnerability

[Thor Larholm <Thor () jubii dk>]

Reading and writing to the system clipboard may be outside the sandbox of
Java Applets, but is a well-documented, and widely used, feature in the
Object Model of Internet Explorer, when using JScript. From the
documentation, this should work on Macintosh as well.

If you look at the clipboardData object (
http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/clipboardD
ata.asp ), you will notice the clearData, getData and setData methods that
it contains.

A quick test: Go to your Adress bar and write

Javascript:alert(clipboardData.getData("Text"))
Javascript:void(clipboardData.setData("Text","your content"))
Javascript:alert(clipboardData.getData("Text"))

What is considered a security hole in one place may be a feature in another
- Java Applets in IE has access to JScript, and hence IEs Object Model and
the clipboardData object.


Regards
Thor Larholm
Jubii A/S - Internet Programmer


> -----Original Message-----
> From: TAKAGI, Hiromitsu [mailto:takagi.hiromitsu () aist go jp]
> Sent: 17. oktober 2001 03:45
> To: bugtraq () securityfocus com
> Subject: Mac OS X v10.0.x J2SE v1.3 clipboard tapping vulnerability
>
>
> Java runtime (J2SE) for Mac OS X v10.0.x has a security hole. 
> It seems to have been fixed in Mac OS X v10.1.
> http://www.apple.com/support/security/security_updates.html
> > Security updates are listed below according to the software 
> release in
> > which they first appeared:
> > Mac OS X v10.1
> > o system clipboard / J2SE - Fixes a security issue that permitted
> >   unauthorized applets access to the system clipboard.
>
> However, the patch for Mac OS X 10.0 has not been released.
>
> Workaround:
> Buy Mac OS X v10.1 or do not use Java applets on Mac OS X v10.0
>
> A brief history of this issue:
>
> On 9 Feb 2001 Cameron McNeil wrote:
> > To: java-dev () lists apple com
> > I've recently been playing around with applets and MRJ2.2.4 
> and I've noticed
> > that unsigned applets have access to the system clipboard. 
> I remember
> > reading somewhere that the system clipboard was considered 
> outside of the
> > sandbox, I know that in windows if you attempt to access 
> the clipboard it
> > will throw a security exception. Is this a bug in the MRJ 
> security model or
> > was the ability to access the clipboard left in intentionally?
>
> On 9 Feb 2001 Eric Albert <ealbert () apple com> wrote:
> > To: java-dev () lists apple com
> > That may well be a bug...I ran into that a month or two ago and was 
> > wondering why MRJ allowed it.  Please file a bug report.
>
> On 5 Jun 2001 TAKAGI, Hiromitsu <takagi () etl go jp> wrote:
> > To: java-dev () lists apple com
> > On 1 Jun 2001 Mickey Segal wrote:
> > >     Are there release notes telling us what is fixed in 
> MRJ 2.2.5? 
> > > The description at http://www.apple.com/java/ reflects 
> only MRJ 2.2.4. 
> > This release seems to contain a security fix.  The clipboard tapping
> > vulnerability which was discovered here on Feb 9(*) has been fixed.
> > However, Apple hasn't notified customers of this fix yet in 
> the release
> > note nor the security bulletin.
> > http://asu.info.apple.com/swupdates.nsf/artnum/n11927
> > http://www.apple.com/support/security/security_updates.html
>
> On 6 Jun 2001 TAKAGI, Hiromitsu <takagi () etl go jp> wrote:
> > To: java-dev () lists apple com
> > Cc: product-security () apple com, java-security () sun com
> >
> > > This release seems to contain a security fix.  The 
> clipboard tapping
> > > vulnerability which was discovered here on Feb 9(*) has 
> been fixed.
> > I prepared a test applet for this vulnerability.
http://java-house.etl.go.jp/~takagi/java/security/mrj-clipboard/Test.html
> ...and found that J2SE v1.3 for Mac OS X is also vulnerable.
> Why hasn't it been fixed?


--
Hiromitsu Takagi, Ph.D.
National Institute of Advanced Industrial Science and Technology,
Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan
http://staff.aist.go.jp/takagi.hiromitsu/