Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IE Clipboard Stealing Vulnerability

From: "TAKAGI, Hiromitsu" <takagi.hiromitsu () aist go jp>
Date: Tue, 15 Jan 2002 10:26:05 +0900
On Sat, 12 Jan 2002 15:06:29 +0000 
Tom Gilder <tom () vpwsys co uk> wrote:

 IE CLIPBOARD STEALING VULNERABILITY
More information available at http://tom.vpwsys.co.uk/clipboard/



VENDOR SOLUTION
I suggest MS make the Internet Zone default setting to prompt, and
improve the prompt dialog to show the clipboard contents (if it is
textual) to the user. They could also add a "always allow this site to
access the clipboard" checkbox.

Microsoft will probably say something like "it's up to the user to set
their security settings as they see fit". However I believe the
majority of IE users will never change anything in their security
settings. They are simply too complex, and buried in the options
dialog.


I reported the same issue to Microsoft on 21 Oct 2001 and received the
following reply:

On Thu, 25 Oct 2001 18:52:17 -0700 
"Microsoft Security Response Center" <secure () microsoft com> wrote:
| We are aware of the issue of protecting the contents of the clipboard.
| This behaviour can be controlled, and is present by design for some
| web services such as Hotmail.  If you are concerned about clipboard
| sniffing then you can set "Allow paste operations via script" to
| "Disable" or "Prompt" in the Internet zone.  This is explained in
| detail in Q224993 "How to Protect the Contents of Your Windows
| Clipboard".


There was a related discussion at Windows NTBugtraq three years ago.

http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9903&L=ntbugtraq&F=P&S=&P=6634
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9903&L=ntbugtraq&F=P&S=&P=6841
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9903&L=ntbugtraq&F=P&S=&P=6968
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9903&L=ntbugtraq&F=P&S=&P=7292


--
Hiromitsu Takagi, Ph.D.
National Institute of Advanced Industrial Science and Technology,
Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan
http://staff.aist.go.jp/takagi.hiromitsu/
Previous By Date Next
Previous By Thread Next

Current thread: