Bugtraq mailing list archives
Re: IE Clipboard Stealing Vulnerability
From: "TAKAGI, Hiromitsu" <takagi.hiromitsu () aist go jp>
Date: Tue, 15 Jan 2002 10:26:05 +0900
On Sat, 12 Jan 2002 15:06:29 +0000 Tom Gilder <tom () vpwsys co uk> wrote:
IE CLIPBOARD STEALING VULNERABILITY More information available at http://tom.vpwsys.co.uk/clipboard/
VENDOR SOLUTION I suggest MS make the Internet Zone default setting to prompt, and improve the prompt dialog to show the clipboard contents (if it is textual) to the user. They could also add a "always allow this site to access the clipboard" checkbox. Microsoft will probably say something like "it's up to the user to set their security settings as they see fit". However I believe the majority of IE users will never change anything in their security settings. They are simply too complex, and buried in the options dialog.
I reported the same issue to Microsoft on 21 Oct 2001 and received the following reply: On Thu, 25 Oct 2001 18:52:17 -0700 "Microsoft Security Response Center" <secure () microsoft com> wrote: | We are aware of the issue of protecting the contents of the clipboard. | This behaviour can be controlled, and is present by design for some | web services such as Hotmail. If you are concerned about clipboard | sniffing then you can set "Allow paste operations via script" to | "Disable" or "Prompt" in the Internet zone. This is explained in | detail in Q224993 "How to Protect the Contents of Your Windows | Clipboard". There was a related discussion at Windows NTBugtraq three years ago. http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9903&L=ntbugtraq&F=P&S=&P=6634 http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9903&L=ntbugtraq&F=P&S=&P=6841 http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9903&L=ntbugtraq&F=P&S=&P=6968 http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9903&L=ntbugtraq&F=P&S=&P=7292 -- Hiromitsu Takagi, Ph.D. National Institute of Advanced Industrial Science and Technology, Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan http://staff.aist.go.jp/takagi.hiromitsu/
Current thread:
- IE Clipboard Stealing Vulnerability Tom Gilder (Jan 14)
- Re: IE Clipboard Stealing Vulnerability TAKAGI, Hiromitsu (Jan 15)