QUOTE(Himanshu @ Sep 14 2005, 04:53 AM)
hi friends,
I posted the following security exploit in IE at Trap17 but missed out posting it here.
Click here for the actual post:
http://www.trap17.com/forums/security-issu...ard-t27178.htmlPass this information on to create an awareness of the same.
Safe Browsing,
Cheers.
I read some information about this security issue in Web Browsers. Actually is only a security issue for the surfers that use Microsoft Internet Explorer, the rest of us that do not use this internet browser can relax, we are not vulnerable. Anyway I will explain a little bit about this Clipboard sniffer.
1. Only in Microsoft Internet ExplorerThe people at Microsoft said is a "feature" provided by Internet Explorer. The true is that many web developers think that is more like a bug, because it allows that any website with a "clipboard sniffer" could read and use the content of your clipboard. No matter is your are working in another application that is not Internet Explorer, it is enough to the clipboard sniffer that you open the website where is installed in a window of Internet Explorer. You wont notice any weird activity.
2. The script is Client Side onlyThese means that only runs in the computer of the visitor of the website. The Clipboard sniffer is actually only based in a very easy (really very easy) JavaScript code that would only be correctly interpreter and execute by Microsoft Internet Explorer. It has no relation with the server side scripting language such as ASP, PHP, JSP, cgi, etc, is completelly independent. Is only related with Internet Explorer 6 or lower version and for Internet Explorer 7 it will ask you before entering a website with the clipboard sniffer, if you allow this website to access you clipboard. This is more like a 'easy patch' implemented by the Microsoft guys in the last version of their web browser, because it wont fix the security problem in many cases. The 'common', 'normal' and 'non-geek' web surfers may not understand or even read this advice and will click "yes" to these kind of annoying messages of their browser. Some users are just desperate to open the web page and they would not notice the text of any advice the explorer will show, specially if they are using Internet Explorer 7 under Windows Vista because they have to deal with many annoying "security advices" of this operating system all day, after a few minutes of this I would be desperate and I would be hating this messages too.
3. The solutionThe straight-forward and easiest solution to maintain you data secure of clipboard sniffers is by simply not using a browser with this "feature". I recommend Firefox or Opera. Both are great browsers and have a solid platform and excellent support for web standards.
Firefox is completely free open source web browser and is available for Windows, Mac OSX, Linux, Solaris and other OS.
Opera is also free to download, but recently they changed their policies and they required you put some ads or purchase it
If you still want to use Internet Explorer anyway is OK, but it is recommended to change your security settings:
Internet Explorer 5 and 61. In Control Panel, click Internet Options.
2. Click the Security tab.
3. Under Select a Web content zone to specify its security settings, click the zone where you want to prevent Web sites from accessing your clipboard.
4. Click Custom Level.
5. In the Scripting section, under Allow paste operations via script, click Prompt or Disable.
6. Click OK.
Internet Explorer 41. In Control Panel, click Internet Options.
2. Click the Security tab.
3. Under Select a Web content zone to specify its security settings, click the zone where you want to prevent Web sites from accessing your clipboard.
4. Click Custom, and then click Settings.
5. Click Prompt or Disable for Script ActiveX controls marked safe for scripting, and then click OK.
Note: Windows Administrators can also adjust the default setting for this feature by using Group Policy or the Internet Explorer Administration Kit (IEAK).
These steps to fix the security issue were taken from the Microsoft Help and Support available at:
How to Prevent Web Sites From Obtaining Access to the Contents of Your Windows Clipboard In here you will see a quite long text from Microsoft explaining that is not a problem because Internet Explorer blocks this "feature" if you turn on the "High Security" mode of Internet Explorer. This more is more like a "Paranoid mode" because it also blocks many other real feature of the web browser.
ConclusionThis feature or bug is a bad characteristic of Internet Explorer in almost all cases. However it could be useful for some RIA (Rich Internet Applications) that run under this web browser and it could be used in a very positive way to create more interactive and desktop like applications. I think that this feature should be disable by default in any security level of Internet explorer and when a trusted website with clipboard sniffer script that would be used to enable copy/paste support for some interesting features, a message should prompt then and the user may now enable this feature. I have not seen any website that uses this feature, maybe because it is better to copy/paste in the traditional way via the Web Browser clipboard support and not via the JavaScript support that is only compatible with Internet Explorer. By using the traditional clipboard support of the web browser, websites only have access to the data that has been pasted to an input box and do not see the entire clipboard board like in the JavaScript sniffer.
Reply
