Bugtraq mailing list archives
RE: Mac OS X v10.0.x J2SE v1.3 clipboard tapping vulnerability
From: Thor Larholm <Thor () jubii dk>
Date: Thu, 18 Oct 2001 12:57:00 +0200
Reading and writing to the system clipboard may be outside the sandbox of Java Applets, but is a well-documented, and widely used, feature in the Object Model of Internet Explorer, when using JScript. From the documentation, this should work on Macintosh as well. If you look at the clipboardData object ( http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/clipboardD ata.asp ), you will notice the clearData, getData and setData methods that it contains. A quick test: Go to your Adress bar and write Javascript:alert(clipboardData.getData("Text")) Javascript:void(clipboardData.setData("Text","your content")) Javascript:alert(clipboardData.getData("Text")) What is considered a security hole in one place may be a feature in another - Java Applets in IE has access to JScript, and hence IEs Object Model and the clipboardData object. Regards Thor Larholm Jubii A/S - Internet Programmer
-----Original Message----- From: TAKAGI, Hiromitsu [mailto:takagi.hiromitsu () aist go jp] Sent: 17. oktober 2001 03:45 To: bugtraq () securityfocus com Subject: Mac OS X v10.0.x J2SE v1.3 clipboard tapping vulnerability Java runtime (J2SE) for Mac OS X v10.0.x has a security hole. It seems to have been fixed in Mac OS X v10.1. http://www.apple.com/support/security/security_updates.htmlSecurity updates are listed below according to the softwarerelease inwhich they first appeared: Mac OS X v10.1 o system clipboard / J2SE - Fixes a security issue that permitted unauthorized applets access to the system clipboard.However, the patch for Mac OS X 10.0 has not been released. Workaround: Buy Mac OS X v10.1 or do not use Java applets on Mac OS X v10.0 A brief history of this issue: On 9 Feb 2001 Cameron McNeil wrote:To: java-dev () lists apple com I've recently been playing around with applets and MRJ2.2.4and I've noticedthat unsigned applets have access to the system clipboard.I rememberreading somewhere that the system clipboard was consideredoutside of thesandbox, I know that in windows if you attempt to accessthe clipboard itwill throw a security exception. Is this a bug in the MRJsecurity model orwas the ability to access the clipboard left in intentionally?On 9 Feb 2001 Eric Albert <ealbert () apple com> wrote:To: java-dev () lists apple com That may well be a bug...I ran into that a month or two ago and was wondering why MRJ allowed it. Please file a bug report.On 5 Jun 2001 TAKAGI, Hiromitsu <takagi () etl go jp> wrote:To: java-dev () lists apple com On 1 Jun 2001 Mickey Segal wrote:Are there release notes telling us what is fixed inMRJ 2.2.5?The description at http://www.apple.com/java/ reflectsonly MRJ 2.2.4.This release seems to contain a security fix. The clipboard tapping vulnerability which was discovered here on Feb 9(*) has been fixed. However, Apple hasn't notified customers of this fix yet inthe releasenote nor the security bulletin. http://asu.info.apple.com/swupdates.nsf/artnum/n11927 http://www.apple.com/support/security/security_updates.htmlOn 6 Jun 2001 TAKAGI, Hiromitsu <takagi () etl go jp> wrote:To: java-dev () lists apple com Cc: product-security () apple com, java-security () sun comThis release seems to contain a security fix. Theclipboard tappingvulnerability which was discovered here on Feb 9(*) hasbeen fixed.I prepared a test applet for this vulnerability.
http://java-house.etl.go.jp/~takagi/java/security/mrj-clipboard/Test.html
...and found that J2SE v1.3 for Mac OS X is also vulnerable. Why hasn't it been fixed?
-- Hiromitsu Takagi, Ph.D. National Institute of Advanced Industrial Science and Technology, Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan http://staff.aist.go.jp/takagi.hiromitsu/
Current thread:
- Mac OS X v10.0.x J2SE v1.3 clipboard tapping vulnerability TAKAGI, Hiromitsu (Oct 17)
- <Possible follow-ups>
- RE: Mac OS X v10.0.x J2SE v1.3 clipboard tapping vulnerability Thor Larholm (Oct 18)