Clipboard Data Theft Now Optional With IE7

An anonymous reader writes "It's been known for a long time that Internet Explorer will happily allow any Web site to steal data that users have recently cut-and-pasted or copied into the Windows 'clipboard' data storage area. Well, now it looks like Microsoft has finally decided that this 'feature' was probably ill-advised, according to The Washington Post's Security Fix blog. IE7 throws up a warning asking whether users really want to let a site filch their clipboard data (Firefox, Opera and most other non-IE browsers forbid this behavior by default)."

not quite

[pchan-]

Firefox, Opera and most other non-IE browsers forbid this behavior by default

No, they don't forbid. They DON'T IMPLEMENT such a stupid idea. Microsoft had to go out of their way to ADD this "feature".

Re:not quite

[otacon]

Right, just because it's possible to do doesn't mean do it...I really can't think of a real practical use of that to be honest.

Re:not quite

[AxiomOfExtensionalit]

Microsoft had to go out of their way to ADD this "feature".

IE is integrated with the GUI itself, so it's bound to have some extra "functionality" like this. Microsoft designed IE with features, not features specifically for secure browsing

.

Re:not quite

[ruiner13]

I could be wrong, but I think I remember a setting in Firefox's about:config page that allows you to enable sites to access the clipboard. This may have been removed, but I think it was in there at least in FF 1.0. There is still something called clipboard.autocopy in there in FF 2.0.0.1, I don't recall if this is the same setting.

Re:not quite

[Thansal]

quick google tells us that clipboard.autocopy is a *nix only option that automaticly copies seleced text to the clipboard.

Re:not quite

[Intron]

I always cut-n-paste my login information when it has some minimum password length + funny character requirement + no echo. This makes it a lot more convenient to access my bank details from phish sites.

Re:not quite

[Binestar]

clipboard.autocopy is the setting to tell you if you want highlighted text to automagically be copied instead of doing it with the mouse/keyboard.

signed.applets.codebase_principal_support Gives scripts using codebase principals access advanced scripting capabilities. Basically, it allows signed applets out of the sandbox because they've promised to play nice. One of the main uses of this (according to the help page) is to allow IRC applications access to your clipboard.

http://kb.mozillazine.org/Firefox_:_FAQs_:_About:c onfig_Entries

Re:not quite

[uncommonlygood]

Don't know about the others, but firefox definitely does implement it, it's just off by default.

Re:not quite

[AchiIIe]

Not so fast. Have you tried using google spreadsheets? Try -- then try selecing something, right click and select "Copy", or "Paste"
- Whoah, you can't copy paste unless you manually do CTRL-V, or CTRL-X/C

I gave up on using word/openoffice I simply use writely for all my documents. I've had documents being edited with up to 50 people just fine.
Think twice before blindly bashing microsoft. There are some of us that want that "feature"

Re:not quite

[FyRE666]

Do people actually USE Javascript in Opera?! It's not a bad browser for rendering CSS layouts, but its JS engine sucks and has always sucked. Basic AJAX (I hate that acronym, but it seems to be all over the place at the moment) simply fails with it to the point all the sites I work on actively sniff for Opera and remove Javascript beyond basic rollovers and form validation. This isn't a troll, as I still test CSS layouts with Opera to ensure templates look correct, but I doubt anyone uses it for its scripting capabilities!

Re:not quite

[silentounce]

Actually, I wrote an intranet site that uses this feature. For firefox, I had to use a flash hack to make it work though, so technically with a default Firefox install you can still mess with the clipboard anyway. I agree for normal internet sites there is no need though.You can also enable it through firefox advanced parameters in about:config, but I don't have the link to that information at the moment. That's ok, give me your url and I'll stop by and drop it off.

Re:not quite

[jesser]

Do you know what other "security holes by design" Flash has? Or other widely used plugins, for that matter?

I first became aware of this particular one when mkaply filed bug 360950, and I've been trying to figure out how to incorporate it into Security tips for Firefox users.

Re:not quite

[Tim+C]

They DON'T IMPLEMENT such a stupid idea.

Well, Firefox does, although it's off by default and requires a site to be whitelisted. Globally allowing silent access to the clipboard is shockingly bad, though, even if in the vast majority of cases the contents will be perfectly benign; it speaks volumes about the general attitude towards security.

Re:not quite

[a.d.trick]

For firefox, I had to use a flash hack to make it work though, so technically with a default Firefox install you can still mess with the clipboard anyway.

Well no, because (thank God) Flash is not installed by default. Also, this security bug in Flash. Plugins have just as much control over your computer as Firefox does (this is how it works with any browser) and it is up to the plugin's authors to keep their plugin secure. Macromedia/Adobe have failed but they probably couldn't care less. That's why plugins have to be installed and they have warning messsages.

Re:not quite

[The+Spoonman]

Oddly enough, that's not a good thing for me. I use Ajaxterm to administer some systems, and always connected to it with IE because Firefox blocked the clipboard. MS has implemented it properly now by offering me a warning rather than just deciding how I should be able to use my computer. Although, to be honest, I knew about the "issue" in the past, I just wasn't that concerned about it. How often do I have something in my clipboard I don't want someone else to see? And, how likely is it I'll hit a "malicious site" at the exact moment I happened to have it in there? There are levels of acceptable risks, and it's up to ME to decide what they are, not the FF devs.

Re:not quite

[cyber-vandal]

I can cut and paste from my browser too and it doesn't support this 'feature'. Or does Google Office reimplement cut and paste ignoring the fact that GUI has it built in already?

Re:not quite

[Kelson]

Have you looked at it since Opera 9 was released? It's supposed to fix a lot of AJAX-related problems and shortcomings.

Re:not quite

[AchiIIe]

Keep in mind, this is an Ajax app, the "GUI" does not know about the internal schema that google spreadsheets uses. I'm not talking about just copying some text, when using spreadsheets you may want to copy a whole row, or a table - formulas formatting & all the works so you can paste it in excel/openoffice/gnumeric In this case you Have to give access the the javascript application so that it can construct the correct representation and place it in the clipboard.

Re:not quite

[cyber-vandal]

Yeh *blush* I see what you mean. I'll check it out before I post next time.

Re:not quite

[the_greywolf]

Do people actually USE Javascript in Opera?!

Yes. I do a significant amount of my testing in Opera 9 and Firefox, and am in fact developing a full-featured RTE based on designMode that currently works in IE, Firefox, Opera 9, and Safari 2.

It's not a bad browser for rendering CSS layouts, but its JS engine sucks and has always sucked. Basic AJAX ... simply fails with it to the point all the sites I work on actively sniff for Opera and remove Javascript beyond basic rollovers and form validation. This isn't a troll, as I still test CSS layouts with Opera to ensure templates look correct, but I doubt anyone uses it for its scripting capabilities!

It reads like a troll, since you clearly haven't done much testing with Opera 9. Their DOM implementation is complete through most of level 2, and is in line with Firefox 2. Their new designMode stuff is very complete, with behavior similar to Firefox's Midas. The XMLHTTPRequest stuff that everyone relies on so much now has been well-supported for a very long time.

The reason Opera doesn't work on so many "AJAXy" applications is, simply, because of the fact that developers with your mentality either do sniffing of the navigator object (which is Wrong, a Bad Thing, bad practise, and just plain idiotic) or are just too shortsighted to see that Opera is improving with every new release (version 8.0 notwithstanding).

I do the bulk of my Javascript testing now in Firefox, but use Opera 9 as a test environment to verify results. I test in IE only to see what other kinds of idiotic things its half-assed "DOM" implementation does wrong.

Re:not quite

[assassinator42]

Actually, using Ctrl+C and pasting it into an OpenOffice spreadsheet yields the same results as using the AJAX copy button in IE7 and allowing clipboard access. Both lose the formatting, but copy the data into the correct cells.

Still, IE7's way does seem better in this case.

Re:not quite

[fbjon]

You don't have to hit a malicious site when you have something important in your clipboard. Just hitting once sometime before is enough, since it can silently open a new, small window that continuously monitors and sends everything that is copied, for as long as IE is running.

Re:not quite

[the_greywolf]

No, they don't forbid. They DON'T IMPLEMENT such a stupid idea. Microsoft had to go out of their way to ADD this "feature".

The "feature" in question is the following JavaScript snippet:

document.execCommand('paste', false, false);
// where document is any document object having designMode="on"

Firefox throws an exception "Access to XPConnect service denied" and Opera 9 claims no support (throwing "NOT_SUPPORTED_ERR"). 'copy' and 'cut' throw similar exceptions.

So, yes, Mozilla DOES IMPLEMENT this "stupid idea". They have gone OUT OF THEIR WAY to protect your clipboard contents by disabling it by default. The IE team has done NOTHING to protect your clipboard from sniffing.

This feature has limited usefulness and it's stupid to rely on it for anything. But, if you really need it to work, you can turn it on in Firefox. I'm not at all surprised Opera 9 doesn't support it. I wouldn't.

Re:not quite

[master_p]

But copy-paste works locally. When you copy-paste data between your documents, even on the web, javascript puts the data on the local clipboard. Remote apps should not be able to steel data from the local clipboard.

Re:not quite

[zafayar]

Not true. Firefox has this feature implemented, and turned off for all sites by default. If you want, you can go and edit the user.js file manually and allow the copy/paste feature.

Re:not quite

[FyRE666]

Well I tend to use the DOM with as little branching as possible (between Firefox, Safari and IE). I must admit I don't tend to spend much time looking into the problems Opera has with scripts, as most of my current code is for CMS GUIs (drag and drop, heavy Ajax interfaces) and clients don't tend to use Opera - actually they probably don't use Firefox either, but I do ;-). The 3 main browsers all work with the code flawlessly. It'd be nice if Opera supported the DOM as well as the other browsers, but it just plain doesn't, and it's not worth branching code for no purpose.

I suspect I'm not alone in filtering out Opera - I started sniffing for it way back when (I believe) they introduced the "document.createElement()" stub code, which didn't actually create an element - pretty indefensible in my view as it meant checking the browser capabilities instead of sniffing was hampered. I think the last time I seriously tested it (may have been 7.5x) it left pixel trails in the browser when using DHTML to resize a div from a mouse drag unless I added code to keep changing the Z-index. There's no doubting it's probably the best browser for embedded devices, and renders CSS fine, but I can't see myself supporting it for any serious Javascript/Ajax work any time soon - if ever.

Re:not quite

I had to use a flash hack to make it work though

<rms>That's what you get for tainting your browser with non-free plugins</rms>

Re:not quite

[drsmithy]

IE is integrated with the GUI itself, so it's bound to have some extra "functionality" like this.

IE is no more "integrated" into the Windows "GUI" than, say, khtml is into KDE.

Re:not quite

This is an improvement over previous editions because there was no warning.

There is a setting (Tools -->> Internet Options -->> Security Tab -->> Internet Zone -->> Custom level... button -->> Scroll down to near the bottom, and change the "Allow Programmtic clipboard access" setting to Disallow, or at least to Prompt. (The default is set to Allow.)

If you want to question how Microsoft has decided to default this setting, have away. But IE has been around the longest of any of the browsers without a development fork, so this was put in at some point, and was actually a decent tool to have before phishers and others of their ilk made security such a priority.

I know it's /. culture to go bashing MS for even perceived flaws, but the issue is really dumb users. If you don't know enough to at least go and look at these settings, then the gods have pity on your soul.

IE 7 loads much faster than Firefox 2.0, and I never have problems loading pages in it. I can't say the same for Firefox.

YMMV of course. Flame away...

Re:not quite

[Fred_A]

clipboard.autocopy is the setting to tell you if you want highlighted text to automagically be copied instead of doing it with the mouse/keyboard.

I'm amazed someone even thought of something as completely useless as this. That it was actually implemented is even more incredible. :-/

Re:not quite

[Inda]

We have an intranet site that uses the clipboard too. Basically an Office application copies the document properties to the clipboard, opens a webpage, and auto-magically fills in a form.

1. FFS, use POST or a URL string.

2. FFS, ask me before overwritting the information I already had in the clipboard.

3. FFS, people rate you as a good web developer. Why? Yes I'm talking to you Mr. I-Stick-Stupid-MySQL-logos-on-every-page.

Re:not quite

[The+Spoonman]

Yes, but still a minor risk and handled better now by MS than FF.

Re:not quite

[Binestar]

This is the default (and very useful) behavior in each of the linux install's I've ever done.

Being able to highlight something, then middle click to paste it somewhere is huge.

You still have a separate ctrl-c and ctrl-v functionality with a separate clipboard for your manual copy/paste, so you're not losing any functionality.

It's a *very* useful feature, and far from useless, I keep looking for something similiar for windows but can't find anything that works for me.

Re:not quite

[bampot]

They really don't have a clue. I hadn't heard about this before, but noticed recently when using IE7 with one of our intranet apps it asked about accessing the clipboard. The app is question is a Java applet drawing package, with copy/paste functions.

Whilst its commendable they've made an effort to fix this bug, there's no way to permanently allow a single site access to the clipboard. A user has to click every time, even if the server being accessed is a trusted site.

Re:not quite

[the_greywolf]

Well I tend to use the DOM with as little branching as possible (between Firefox, Safari and IE). I must admit I don't tend to spend much time looking into the problems Opera has with scripts, as most of my current code is for CMS GUIs[...] The 3 main browsers all work with the code flawlessly. It'd be nice if Opera supported the DOM as well as the other browsers, but it just plain doesn't, and it's not worth branching code for no purpose.

Are you sure? In my testing, Opera 9 has as complete an implementation of the DOM as Firefox does. In fact, I've been relying on that for most of what I do - which includes work on a CMS GUI.

As for the other issues you note, I do recall seeing them in pre-8.0 versions, but since 8.5, I've never seen even one such problem. Nearly everything is complete and fixed as of 9.0, and Opera is already at 9.10.

Re:not quite

[Fred_A]

This is the default (and very useful) behavior in each of the linux install's I've ever done.

Being able to highlight something, then middle click to paste it somewhere is huge.

This is typical for X and indeed quite useful. But quite different of automatically pasting anything selected without any further action. Which was the system outlined here.

Re:not quite

[Binestar]

This is typical for X and indeed quite useful. But quite different of automatically pasting anything selected without any further action. Which was the system outlined here.

I believe you are mistaken, please re-read the thread. Nothing mentioned about autopasting, just autocopy.

Re:not quite

Nearly everything is complete and fixed as of 9.0, and Opera is already at 9.10.

1. "Nearly" makes a world of difference. 2. Opera already being 9.10 still doesn't implement addEventListener right (despite user requests on forums).

Re:not quite

This is typical for X and indeed quite useful. But quite different of automatically pasting anything selected without any further action. Which was the system outlined here. I believe you are mistaken, please re-read the thread. Nothing mentioned about autopasting, just autocopy. He's saying that previous versions of Internet Explorer did the autopasting and that autocopy is quite useful but quite different than what's being discussed. The whole point of this article is talking about how IE did autopaste prior to version 7.

Probably?

[ifrag]

How is something like this only "probably ill-advised".
This is beyond complete stupidity. I probably can't even count the number of times I've had security sensitive stuff in the clipboard.

Re:Probably?

[another_fanboy]

This is beyond complete stupidity.
For what reason would they allow a site access to the clipboard?

Re:Probably?

[Ark42]

Large scale VB apps with IE embedded into them and lots of custom IE-only html for a networked application might want to implement copy/paste via javascript and custom active-X controls. Nothing you'd really want to let a random internet site have access to.

Re:Probably?

[archen]

This is probably inherited from the jscript engine which is a part of windows scripting host. Or possibly it was inherited from the help system. Or maybe it's one of the umpteen million other problems that were created by integrating IE with windows. What is surprising is how the clipboard feature wasn't at least put under the control of the internet zones trust model. Not that there hasn't been enough security problems with that, but it is at least acknowledging that it's something arbitrary websites shouldn't do.

Re:Probably?

[pclminion]

It's probably NEVER a good idea to keep sensitive data in the clipboard. You never know when that particular chunk of memory might get swapped out to disk. When that happens, your "secure" data is now sitting in plaintext form inside your swap file. Secure data really needs to be handled only by secure applications (with appropriate memory pins to prevent sensitive data from going out to an unencrypted volume). The clipboard is definitely not something I'd consider for that purpose.

I've grepped for my email password in my swap file before. It was there. Not good.

Re:Probably?

[AchiIIe]

Google spreadsheets? - try doing a copy paste between excel and GS. Google documents? - Would you not want to Select - right click - copy? Well, you might want to, but they overwrite the right click to include their own menu -- and guess what, now you can't

Re:Probably?

[jesser]

You're worried that if someone steals your laptop, they might be able to find your email address and spam you?

Re:Probably?

[pclminion]

You're worried that if someone steals your laptop, they might be able to find your email address and spam you?

First of all, I said email PASSWORD, not address. Somebody could steal my laptop and read my email and send email from my account. That would require them to be able to discern the password in all the millions of bytes of swap data, but I can imagine writing a program that could scan for candidates.

If my email password happened to be equal to my main account password (as can happen due to certain policies, but thankfully not in this case), that's quite a bit more serious. It makes me wonder what else might be lurking in the swap partition. When you type a password (like say, the root password for your main file server) into an application, you're really placing all your faith in that application to dispose of that data appropriately. So yeah, I'd be worried, especially in the context of a company, where it's easy to get your hands on a laptop that doesn't belong to you.

Re:Probably?

[MadUndergrad]

Simple solution: use enough ram so you don't need the swap file. Unless you're in Ubuntu (and maybe others), which, iirc, doesn't let you not use one.

Re:Probably?

[Antony-Kyre]

I wonder. Why aren't they going to fix this for IE6?

Re:Probably?

You need more Monty Python, man... That phrase was probably meant to be funny...

Re:Probably?

[jesser]

Sorry, I misread your comment. Makes me wonder how I got modded up, making fun of you for something you didn't say ;)

But more seriously...

I think it's pretty hard for applications to manipulate data (even passwords) in a way that guarantees they are never written to a swap file. And that's assuming your computer is *off* when it's stolen; it takes even more care to ensure the data doesn't remain in memory.

If you're paranoid enough to want to protect that data, though, why not encrypt your entire user account including the swap file?

Re:Probably?

Could you tell me what's inside the chocolate treat labeled "crunchy frog"?

Re:Probably?

[HolyCrapSCOsux]

I don't think you can do that in windows.
Never used swap on my audio workstation (only 1G of memory), but I have 2 G in my windows machine and It still uses the pagefile.

Re:Probably?

It most certainly is possible, at least on linux.

Re:Probably?

[pkulak]

Or just put your swap on an encrypted drive.

Re:Probably?

[John+Nowak]

Simpler solution: Click the "use secure virtual memory" button in OS X. You can set up similar schemes for other operating systems as well with a bit of effort.

Re:Probably?

[elliott_keith]

You can disable it in Windows (2000/XP, as far as I know). Right-Click "My Computer" --> "Properies" --> "Advanced" Tab --> Performance "Settings" --> "Advanced" Tab --> Virtual Memory "Change" Button --> Select "No Paging File", then "Set"

Re:Probably?

[drsmithy]

I don't think you can do that in windows.

You can, but it's ill-advised. The Windows VM system is tuned with with assumption a pagefile will exist.

Never used swap on my audio workstation (only 1G of memory), but I have 2 G in my windows machine and It still uses the pagefile.

Windows will always page out while the system is idle - this is generally A Good Thing, as it allows any new (or additional) memory allocations to be serviced immediately (simply by marking the already paged-out RAM as free), rather than having to actively page it out first. However, historically Windows has been fairly aggressive at handing over "idle" RAM to other processes or the buffer cache (especially the buffer cache). This is the behaviour most people are criticising when they complain about Windows "swapping too much" - not the "swapping" (paging) per se, but the agressive reallocation of already-paged RAM.

(I believe this behaviour was improved significantly in Windows 2003, and hence Vista as well.)

Re:Probably?

That's also because you would need 4GB to not have a pagefile. To guarantee no page file is necessary, you should have the maximum amount of RAM, which on a 32 bit processor is 4GB's.

Re:Probably?

[e4g4]

Not to sound too much like a mac fanboy, but Tiger does have the ability to encrypt memory pages that are paged to disk - I'd imagine it adds some overhead to the paging process, but nevertheless seems like a decent security feature, and one I'd not even considered the usefulness of until I read your post.

Could anyone explain..

[Squapper]

...what on earth where they thinking in the first place?

Re:Could anyone explain..

[tqk]

...what on earth where they thinking in the first place? What a silly question. You can't be both thinking and doing something like this at the same time.

Think, then type. :-)

Re:Could anyone explain..

[j00r0m4nc3r]

Methinks MS is secretly in cahoots with the spam, porn industry and mafia.

"Oh... we uhh.. put in a huge security hole?? Whoopsiedoodle!! Tee hee hee...Sorry."

Re:Could anyone explain..

[Scrameustache]

...what on earth where they thinking in the first place? "I wonder what people keep in their clipboard..."

Re:Could anyone explain..

[capnsponge]

I think the reason is Outlook Web Access (OWA), which has a built-in paste feature. To see it in action: If you have access to an OWA account (I think hotmail works too but I haven't tried it), log in with Internet Explorer and start a new message. Right click on the message body and click Paste. You get the same warning message about the web site requesting access to the clipboard. In an attempt to make OWA look, feel and behave like Outlook, I think Microsoft crammed as much functionality into IE-Javascript as they could..and clearly they got carried away. I'm not defending Microsoft's decision (it was clearly stupid), I'm just trying to rationalize it.

To all Micro$oft apologists

[Bohemoth2]

Ok, you can STFU and sit down now.
This is not FUD from the FOSS community.
This is reality.

Re:To all Micro$oft apologists

[spun]

Just when you think you have the groupthink of the slashbot mods figured out, they go and mark a perfectly good anti-MS screed as "troll." Go figure. ;)

Fantastic!

That's what I call innovation. I love Microsoft.

Thank God!

[Whiney+Mac+Fanboy]

Thank God it's no longer compulsory!

Thanks MS!

Can't Believe It

[endianx]

I had no idea that was possible. I would never have imagined they would do something so stupid, even Microsoft. What other "features" do they have that I don't know about? I fear to think.

Re:Can't Believe It

[CastrTroy]

I've known about this feature for a long time. I once had thoughts of implementing a feature into my site where I automatically got the information off the clipboard and sent it to my server, just to see what I could pick up. I decided not to, however, I'm sure many people are not as honest as I am.

Re:Can't Believe It

Some people are still wondering why everyone hates Microsoft .

Where's Clippy when you need him?

Please PLEASE, let this warning be issued by Clippy. Such a stupid feature necessitates an equally stupid user interface.

"It looks like h4XX0R5.net would like to see what's on your clipboard."

/nostalgic for Clippy

I'm helping!

[PingSpike]

Internet Explorer:
Send personal data to unknown source? Click Ok to continue.

Re:I'm helping!

[Nimloth]

Probably through one of these popups too: http://gallery.mudpuddle.co.nz/albums/album04/Must _Click_YES.gif

Comment removed

[account_deleted]

Comment removed based on user account deletion

Clippy

So innocent, yet so evil

Why?

[Archangel+Michael]

I mean why is it even "optional"? I cannot even think of a reason why ANY website would need access to my clipboard stuff, under any circumstances!

[new phishing scam]
Open text document, type in password, copy the password to clipboard, click this link, and we'll verify that your password matches the one in our file. Honest!

Re:Why?

[karmatic]

It's sometimes conveinent to be able to _put_ things in the clipboard. TinyURL uses this feature to automatically copy the generated link to the clipboard for pasting. I've also seen an IRC search engine that pre-copied the file transfer commands for you.

I still can't see a good reason to let the web page automatically get clipboard data. If you need it that badly, throw up a text box, and have the user hit paste.

Re:Why?

[enharmonix]

I mean why is it even "optional"? I cannot even think of a reason why ANY website would need access to my clipboard stuff, under any circumstances! http://docs.google.com/

Re:Why?

[jesser]

It may be convenient, but it's also a severe security hole. If you paste anything from an untrusted site into a terminal window or into mIRC, you're owned. (I make this point on Security tips for Firefox users.) If web sites were able to put data on your clipboard without your knowledge (e.g. without you pressing Ctrl+C), it would be even worse.

Re:Why?

[Onan]

I'm sorry, but allowing global write access to my clipboard is also multiple types of insane:

Clobbering my clipboard destroys whatever information I had on it. Given that my system does not habitually destroy that for no good reason, sometimes that's unique information that I don't have anywhere else. I don't want it poofed by some web site being "helpful".

Clobbering my clipboard ensures that the next time I paste, something different will happen than what I expected. Obviously this can be leveraged into that "something different" being a security compromise.

So, no. What's on my clipboard is just none of any site author's bloody business.

Re:Why?

[complete+loony]

I could see a need for a web page to run some script to process data when I press Ctrl+V, perhaps being able to process a different type of clipboard data than just text. BUT there's no way in hell it should be possible to get that data if I didn't press Ctrl+V.

Re:Why?

[bill2009]

I cannot even think of a reason why ANY website would need access to my clipboard stuff, under any circumstances!

My experience with IE "security" says that this will get in my way every time I want to paste something into a form because MS will be convinced I'm a web site.

Features vs. Security

[Kelson]

Microsoft designed IE with features, not features specifically for secure browsing

Microsoft (and other software companies, but MS gets the most attention for it) spent years working under the paradigm where making things more convenient and/or more powerful for the user was the most important thing you could do to get people to use and buy your product. (Not saying they succeeded at making things convenient, just that it was the goal.) Security was only rarely a concern, because for the most part an attacker (barring the occasional virus-infected floppy) needed physical access to a personal computer to mess with it.

Two things changed: personal computers are now vastly interconnected. Lots more people have them. Result? Bad guys can attack random machines on the other side of the planet using automated tools. Security is now a major priority.

Bolting security onto insecure-by-design products has had spotty success. In the last couple of years Microsoft has also tried to make more security-conscious designs...and they've paid for it in complaints when customers lose the convenience of, for example, always running with admin rights.

Re:Features vs. Security

[jimlintott]

While I pretty much agree with what you are saying I should point out that this is a web browser we are talking about. Ignorance of connected computers can't apply to a product that requires a connected machine to be useful.

Re:Features vs. Security

[Tim+C]

Microsoft (and other software companies, but MS gets the most attention for it) spent years working under the paradigm where making things more convenient and/or more powerful for the user was the most important thing you could do to get people to use and buy your product.

Don't forget that that includes UNIX; from the preface to O'Reilly's "Practical Unix and Internet Security":

When the first version of this book appeared in 1991, many people thought that the words "UNIX security" were an oxymoron-two words that appeared to contradict each other, much like the words "jumbo shrimp" or "Congressional action." After all, the ease with which a UNIX guru could break into a system, seize control, and wreak havoc was legendary in the computer community. Some people couldn't even imagine that a computer running UNIX could be made secure.

The various flavours of UNIX have come a long, long way since 1991. So have MS; but they have had farther to go, started later and have not been travelling nearly as fast. A modern Windows PC in skilled/sensible hands is safe enough, but so many are in less than optimal hands...

Re:Features vs. Security

[cyber-vandal]

And I remember some clown from Microsoft advancing the view that because Unix security sucked when it was the same age as Windows NT it was ok for Windows NT security to suck, thereby inviting their customers to stick with Unix until NT security didn't suck anymore.

Re:Features vs. Security

Two things changed: personal computers are now vastly interconnected. Lots more people have them. Result? Bad guys can attack random machines on the other side of the planet using automated tools. Security is now a major priority.

That's a false reasoning. The fact that PCs are now vastly interconnected implied that PCs were not vastly interconnected and that was an excuse why Microsoft implemented an unsecure, half-assed feature on IE. However, what is IE? It a web browser to be used on a computer connected to the Internet, by its nature. Whether or not the majority of the PCs are interconnected is irrelevant as any users using IE already use a PC that is interconnected. How many users actually use IE to read text files or browse images from the hard drive?

Since the nature of the software is to be used on an interconnected PC, then Microsoft should have implemented basic security precaution. The fact that they didn't shows how incompetent Microsoft is.

Re:Features vs. Security

[a.d.trick]

Microsoft (and other software companies, but MS gets the most attention for it) spent years working under the paradigm where making things more convenient and/or more powerful for the user was the most important thing you could do to get people to use and buy your product.

I think it's more acurate to say "appear convenient and powerful". There's nothing convient or powerful about data lost or computers infected with worms and trojans.

Re:Features vs. Security

[diegocgteleline.es]

The various flavours of UNIX have come a long, long way since 1991.

In fact, lets remember that the first Internet worm, that could have brought down the whole Internet (a small network at that time), infected Unix systems and was 100% UNIX-based and used a fscking buffer overflow vulnerability. Still today there're tons of those buffer overflow vulnerabilities.

Re:Features vs. Security

[Rob+the+Bold]

A modern Windows PC in skilled/sensible hands is safe enough, but so many are in less than optimal hands...

I don't disagree with you at all, but I'm compelled to add this:

The thing is, computers are ubiquitous -- and omnipresent -- these days, and the bulk of them are running MS Windows of some version. They're as common as stereos, but as touchy as a Stradivarius (or a crappy Strad copy). It's not really a valid assumption that all computer users are experts at using computers. They buy them to shop, do embroidery, type phone lists into spreadsheets, watch porn, keep in touch with relatives, etc. They don't want to be computer experts in order to do these things any more than I want to learn to play bass or drums or violin just to listen to some music.

So if Microsoft wants ordinary people to be able to continue using Windows PCs in a networked world, security has got to be easier. If the only secure computer is one that is managed by an IT Pro, then the potential market for personal computers (and PC operating systems) is only businesses. And that would be bad news for MS.

Re:Features vs. Security

[dgatwood]

Yes, and that worm and others like it are the primary reason that sendmail only makes up about half of all the mail servers out there (50-60%, depending on whose numbers you believe). You can't call that a security hole in UNIX any more than you can call an IIS security hole a flaw in Windows XP Pro.

Re:Features vs. Security

[tjcrowder]

Microsoft (and other software companies, but MS gets the most attention for it) spent years working under the paradigm where making things more convenient and/or more powerful for the user was the most important thing you could do to get people to use and buy your product.

<<Brrrraaaaaap!>> I'm sorry, that's the wrong answer. It's been several years since 1997. Please accept this lovely eggtimer as a consolation present as you leave the stage...

Re:Features vs. Security

[Kelson]

It takes time for people -- and companies -- to adjust. I used the term paradigm deliberately. Even though Microsoft should have considered security more carefully when writing a network client, they were still operating under the paradigm established under the older, less-connected reality.

IE has been around for a decade. It took until people started massively taking advantage of the security flaws in Windows, IE, Outlook (Express) -- the outbreak of worms and viruses a few years ago -- for Microsoft to adjust to the fact that security was not just something to consider, but might possibly trump the old priorities.

Re:Features vs. Security

[complete+loony]

Plus they also tried to turn IE into a platform for intranet applications that *require* more access to the machine than they should have from within a browser.

Re:Features vs. Security

[zeugma-amp]

Plus they also tried to turn IE into a platform for intranet applications that *require* more access to the machine than they should have from within a browser.

You're not kidding. The place where I work has many intranet applications that require IE use, and also require that you eliminate just about every security mechanism that IE has in order for them to work. Siebel is the biggest offender. You practically have to mount a "please hack me" sign on your workstation after you set up IE to make Siebel work.

Re:Features vs. Security

[ydra2]

"Two things changed: personal computers are now vastly interconnected. Lots more people have them. Result? Bad guys can attack random machines on the other side of the planet using automated tools. Security is now a major priority."

Yeah but those two things changed over ten years ago! And security has been a major priority for every other OS for twenty years. Even Microsoft went on a big security binge three years ago. So how many more years will it be before Microsoft gets security?

Re:Features vs. Security

[Baricom]

(Note: These are serious questions.)

Why would one write a web application that works only in Internet Explorer? Doesn't that defeat the primary benefit of a web app - increased flexibility? Wouldn't it be more sane to use something like VB that will be more consistent at the expense of less portability?

Re:Features vs. Security

Nope.

The they still solve the problem of keeping an application updated across thousands of machines. True you could use SMS or similar, but at least at my company you have to wait for months of paperwork and testing (sub standard testing, beyond the full testing we already did) to get an SMS push setup.

It's the defaults, stupid

I've said it before, and I'll say it again: half of MS's security problems are stupid defaults. You've been able to disable "allow paste from script" in IE for ages now, but it's ENABLED BY DEFAULT. Stupid, STUPID, STUPID!!!

Now, if they would just unhide extensions by default, and disable ActiveX by default except for pages on the trusted list (or just get rid of ActiveX totally, but I realize that'd be asking for too much), and get rid of a few other stupid defaults that I always uncheck on a new install, and we'd all be a lot happier.

Are both ways fixed?

[Target+Drone]

If I read the articles correctly it seems there are 2 ways to access the clipboard data.

1. Via the javascript windows.clipboard object.
2. You embed an active-x spreadsheet in your page (which gets installed with office) then java script can call a method to paste the contents of the clipboard into a cell in the spreadsheet.

Anyone know if both methods are now fixed? The Washington Post article doesn't seem to say.

Re:Are both ways fixed?

yes, go to mozilla.com

Re:Are both ways fixed?

[lostboy2]

Not "fixed" (as in removed), but apparently you can turn it off in IE4 through IE6.

Re:Are both ways fixed?

[WalksOnDirt]

Unfortunately, according to the first link in the summary, websites can turn it back on without your permission.

Re:Are both ways fixed?

[lostboy2]

Oh, now that's funny: disabling the "Allow paste operations via script" option in IE6 breaks the "copy & paste" feature in Yahoo Mail Beta. GMail and regular Yahoo Mail still works fine though.

Re:Are both ways fixed?

[lostboy2]

Oh. Whoops. Still, you can disable "Run ActiveX controls and plug-ins", which is what the Microsoft article noted as the solution for IE4. I guess that means this is really the only solution for IE5 and 6 as well.

Only a matter of time...

[Joebert]

... before someone ignores that little "This is a Phishing site you fucking moron !" indicator & clicks "ok" for this prompt.

Yes, it's possible to disable it completely through Internet Security Settings with a setting called "Programatic Clipboard Access".

Re:Only a matter of time...

Yes, it's possible to disable it completely through Internet Security Settings with a setting called "Programatic Clipboard Access"

Phew! I'm glad Grandma won't be affected by this. With such an obvious, plain-english setting she will surely catch it, even though it's enabled by default.

Then again, why not make it non-default with a name like *only enable this phishing setting if you are a fucking moron!!!1!on1*

There are many clipboards but this one is mine

[wumpus188]

yy
p

Re:There are many clipboards but this one is mine

[the_greywolf]

Indeed. That's the only clipboard I trust and rely on.

:wq!

Re:There are many clipboards but this one is mine

[aproposofwhat]

LOL - gave me a small tingle of vi-carious pleasure!

WoW login stealing method?

[RichMan]

I lot of people playing WoW have said they used cut-and-paste on their password to avoid key loggers. (yea real smart having it in plain text in another file anyways). I wonder if they know about this vulnerability.

Re:WoW login stealing method?

[nuzak]

Virtually all malware that installs a keylogger probably installs a clipboard watcher too. Most of them ALSO sniff passwords on the wire too (though I doubt they're sniffing WoW's protocol stream). You can try copying and pasting pieces of the password out of order. No one's going to bother reassembling it when there's easier targets for less effort. Better yet you can use a machine that you're more confident hasn't been rootkitted.

Once Again, "It Isn't a Bug, It Is a Feature!"

[EXTomar]

Once again Microsoft instead of recognizing a bug decides unplanned behavior is trying to treat it like a feature. Most other designers would call this a bug but but there is something else beyond the definition. What possibly earthly reason would there be for a server to request the content of client's clipboard?? I'm having an extremely hard time imagining a use case for such an event even with Ajax web applications.

So instead of fixing the bug, they treat it like a feature and ask for confirmation. This behavior by default should never be allowed in any context let alone a web/internet one. Asking for user confirmation on an action not allowed is silly and yet another scary dialog where the user won't bother reading or understanding the warning and just click "Yes" to dismiss and continue on their browsing.

I hate sounding negative when talking about Microsoft's technology but it is stances like this that make it so hard to avoid.

Re:Once Again, "It Isn't a Bug, It Is a Feature!"

[Abcd1234]

Once again Microsoft instead of recognizing a bug decides unplanned behavior is trying to treat it like a feature.

Actually, what's sad is that this *really was a feature*! A bug implies unintended behaviour. But clearly, they *meant* it to work this way.

Re:Once Again, "It Isn't a Bug, It Is a Feature!"

AjaxTerm - a terminal emulator that runs as an ajax app in a web browser
offers the ability to cut/paste to the main clipboard and it is quite useful.

-- rouilj

Re:Once Again, "It Isn't a Bug, It Is a Feature!"

[jesser]

What possibly earthly reason would there be for a server to request the content of client's clipboard?? I'm having an extremely hard time imagining a use case for such an event even with Ajax web applications.

Usually, the site wants to offer an alternate user interface for the Paste command.

The most common example is a WYSIWYG editing box with a 'B' button, an 'I', button, etc. Maybe they think users expect Cut/Copy/Paste buttons on any toolbar that includes text-styling commands, and won't think to use the normal methods such as Ctrl+V, the menu at the top, or a context menu.

A better example is Google Docs, which overrides the context menu in order to include special items like "Insert Image..." and "Insert Link...". Because it isn't using the browser's normal context menu, it can't include a (working) Paste command.

I'm not saying it's a good idea for browsers to let scripts access the clipboard (with or without a prompt). I'm just pointing out that there are legitimate cases where a site would be able to offer a better user interface (or at least a user interface more consistent with popular native applications) if it were able to script Paste commands.

We need a new firefix feature ...

... that emulates this functionality, but instead of sending up your clipboard it sends up a VERY large chunk of data (remember - uploading is unquota'd).

Security First...

[Idbar]

Internet Explorer: (subsequent pop-up window)
The information you are sending to "Unknown Source", is not encrypted. Do you want to encrypt your data? The source will still be able to get access to the data since all your passwords will be also submitted. Click Ok to continue or Ok to continue
[Ok] [Ok]

Why not just fix it?

[Zarjay]

Why didn't Microsoft just fix the problem instead of adding a user confirmation prompt? Why is it important for IE to allow websites to get clipboard data from users?

That's a screwy way of fixing a security defect, if you ask me.

Re:Why not just fix it?

[diegocgteleline.es]

Fixing it required adding a dialog with two buttons - "Yes | No".

I mean, how much time it took you the first time you added a dialog and two buttons to a program? It's understable that it took them 3-4 years to implement and test!

Re:Why not just fix it?

[Shados]

The problem isn't that. The feature is there so you can add usuability features to your site. Like a better, and customised "right click" menu, for example with data grids, or text editors. A way to, let say, parse Word clip board and strip formatting. Pasting HTML with a special formatting. You name it. Its useful.

The problem is that since this is accessible in javascript, you could, let say, paste that data in a hidden field, so that when a user post a form, it will post their clipboard. Or use Ajax to push it to the server, etc. Thats the exploit.

The feature itself was NEVER meant for the web site to get the data...it was meant to help the user copy and paste more effectively when using a web page, and improve usuability... The only issue is that it CAN be used to let the server fetch the data, something you never, ever, EVER want.

Re:Why not just fix it?

Why would a website ever have, without specific permission by the user given, access to the contents of the clipboard? I still do not see it.

Re:Why not just fix it?

[Shados]

Why would a website ever have, without specific permission by the user given, access to the contents of the clipboard? I still do not see it.

The permission part is for the user experience. It annoyes the users sometimes fast. Imagine the following: I'm overriding the contextual menu to add functionality to my web app. Virtual ALL dumb corporate users go straight to the contextual menu when they want to do anything. Now, the COPY option is not there anymore, because I overrid it. So I need to put it back. But now, whenever a user uses it, it asks for a confirmation. Awkward.

I understand the security issues, and thus it has to be disabled by default and ask permissions. There's no choice. But it is a major usuability hit in more complex web apps. There will literally NEVER be a time when I could justify the SERVER having access to the clipboard. But the actual client side UI? Yes, most definately.

Staring at a monitor too long . . .

[Orange+Crush]

For a second there I thought summary said: "IE7 throws up a warning asking whether users really want to let a site felch their clipboard data."

It seemed like a good idea at the time

[Somatic]

Public: What on earth would motivate you to implement such a thing?

MS: It seemed like a good idea at the time.

Public: In what way did it seem like a good idea?

MS: Well, maybe not a good idea, but an idea.

Public: So thinking was involved.

MS: Well, it was more like inspiration.

Public: ...

MS: They throw chairs at us. Help. Please.

Re:It seemed like a good idea at the time

[DaoudaW]

Public: ...

MS: They throw chairs at us. Help. Please.

Funny, I always thought it M$ that threw chairs.

Re:It seemed like a good idea at the time

WHOOSH

(and no that was not a chair)

Re:It seemed like a good idea at the time

[Somatic]

Yeah, that last line was supposed to be the voice of the MS programmers. Sometimes I wish we had edit buttons round here.

Yay, new Firefox users!

[KingSkippus]

My god, I don't know how I've missed this one. It's the most scary thing I've seen in a long time. I like to think I'm pretty savvy, and I stay up with all of the latest scoop, but this is the first I've read about this gaping security hole.

For the past half hour, I've been showing people I work with this exploit (I'm sorry, I refuse to call it a "feature"), and everyone's been forwarding e-mails to their home account with two pieces of information: 1) The ScriptingMagic site URL to play with at home and show other people, and 2) the Firefox URL to install as soon as they get off today.

Thank god I've been using Firefox for a couple of years or so now. This is unbelievable. The thought that an IE window in my background could have been sitting there all along, quietly capturing and reporting everything I put in my clipboard, is just unbelievable.

Re:Yay, new Firefox users!

[im_thatoneguy]

Some database somewhere:

- http://dictionairy.com/
- Accorddingly
- insufficient
- electrolisis
- dyode
- http://funnylink.com/
- [Random business address]
- Hey I'm back from vacation, what's up guys?
- xnYZ36A
- In a world savaged by insecurity one man is standing up to stop it.
- Eva Longoria
- ASDF
- http://business.link.com/

I'm quivering in my boots as I write it. My god! They know everything!

Re:Yay, new Firefox users!

You can do the same thing in Firefox or Opera by embedding a small flash component in the page. Does it require an extra two minutes work on the hackers part to implement it? Yes. But its still trivial to exploit.

What's more interesting to me is knowing if IE7 Vista's process-level security system would apply the same clipboard rules to a plugin like Flash. If so, that's a substantial security leap in favor of IE.

Re:Yay, new Firefox users!

[KingSkippus]

Point me to a page with a "small flash component" that will, without any kind of interaction whatsoever, echo whatever is in my clipboard to me. I'd like to see a Firefox equivalent of this page.

example

[c00rdb]

here's a site that has a valid use for the paste part of the exploit. not sure about the retrieval part... (works on firefox too) www.2prong.com

Re:example

[fbjon]

That site works in Opera too, incidentally, but it's not an example of the security hole. It can only overwrite the content in the clipboard, not copy it back, so it's not a problem. Though perhaps a mild annoyance if you happen to store all your important data and private keyfiles in there.

Oh Big Whoop

[eno2001]

It's not like people are gonna be able to get anything valuable out of the cut and paste buffer. It's like what? 8k max? And how many people cut and paste valuable things like password, credit card numbers, user IDs, and the like anyway. The most any hacker will get would be part of someone's goofy school paper, a portion of an e-male, maybe at worst a URL (GASP!). This is so like a non-issue. As if...

[SLASHDOT CLIPBOARD IE7 CONTENT DUMP for User eno2001]:

eno2001 14m431337h4ck3r (419)555-2727
Look at this later: http://www.iheartfurries.com/

ub3rsm00vem4l3: So baby... my wife's out of town the whole weekend. Cum over and play?
SororityBabe6500000: Oh yeah! Let's party!

Books to read: How to Build a Nukyelar Bomb in Your Basement for Less than the cost of a Washing Machine, Trisexuals are People Too: A Study in Prejudice, How to Win an Election the Easy Way (Diebold Hacking)

Important investment info: Steve B said I should sell the Novell stock early next week. Remember to tell Feingold ASAP.

[END SLASHDOT IE7 CLIPBOARD CONTENT DUMP]

Not quite - got a warning in IE6

I tried it using IE6 and got a warning. So maybe nothing to see here at all?

Only in Opera

[ZPWeeks]

I regularly hop between Firefox, IE7, and Opera. Call me indecisive. My university, like many, uses WebCT pretty extensively. Some places deliver quizzes, exams, and assignments solely through WebCT. The program uses this clipboard function somehow- I assume to watch for plagiarism. It's one of the very few ways I wouldn't object to this "feature". The only browser to ever notify me of WebCT looking at my clipboard was Opera. Probably for this reason, WebCT warns of "incompatibility" with opera, but still allows access. That's alright, since Opera easily masks itself as Firefox. I don't mind it in WebCT- but I would mind it on almost any other website.

Workaround for IE6

[edraven]

Change the security setting for "Allow paste operations via script" to "Prompt". Now it'll ask you every time a script interacts with the clipboard, as near as I can tell. For example, when you're pasting text into the form on Google Maps, it'll ask you if that's okay even though it's you the user requesting the paste operation. But pasting into the Post Comment form here on slashdot does not.

This has an interesting side effect on the "harmless" exploit page mentioned in the article, though. The script on that page apparently loops continuously, so every time you answer (whether yes or no) the dialog is presented again. The dialog takes precedence over other IE controls, and as near as I can tell there's no way out short of terminating the browser.

Who would have thought

[pembo13]

I am by no means fond of Microsoft, but darn . . . never would I have guessed that they had ever implemented such a feature. I mean . . . I have been working with the assumption that MS has really smart guys, but the higher ups are just total scumbags. But how could anyone willfully implement such a thing into a publicly consumed product? This for me is a new low.

Re:Who would have thought

[dave420]

Well, Firefox has the same feature, so I guess you have to be angry with them, too.

My IE7...

[sheepoo]

...did not prompt me!

Google docs and spreadsheets

I think the reason they finally did this was to make it harder to use Google docs and spreadsheets--very annoying to get a prompt every time you copy/paste a cell in the sheet.

Re:Google docs and spreadsheets

Most users of Google Docs/Spreadsheets use Firefox anyway. Can you copy/paste data in Google Docs/Spreadsheets within Firefox? (I'm not going to try it myself; I refuse to soil my PC with Google's garbage.)

Clipboard use in Firefox

Go to about.config and change clipboard.autocopy to true

Security settings

[islanduniverse]

I don't know if this has been commented on already, but there is an option in the IE settings that controls this setting. Does no-one on /. ever go through application settings first? Under scripting: "Allow programmatic clipboard access" I think it is.

Unless this is something completely different... (Oh, and please fill in my survey for my dissertation! http://www.survey.flere.co.uk/ :) It's about online shopping and only takes less than 10 minutes! Thanks)

Ironic.

[lukateake]

Since the offending script stealing my clipboard will only be grabbing itself since I just came to the site to see how they implement clipboard access in JavaScript.

Get the damn word right

You don't steal data, you duplicate it.

It isn't data theft, it's unauthorized duplication.

Why is this so difficult?

Security settings-wonderful if you know about them

[freeweed]

Does no-one on /. ever go through application settings first?

Yes.

Do we even know about, let alone go through all 5,000 braindead security settings that Windows seems to have these days? Hell no. After a while, you have to assume a vendor would do SOMETHING right. This one floored me completely. I thought a dozen open network ports on a home desktop OS was stupid, but this is beyond belief.

Things like this are why I moved to Linux. It's simply impossible to keep up with every idiotic setting that needs to be changed after a default Windows install.

Just curious here

[JourneyExpertApe]

If people considered UNIX to be notoriously insecure in 1991, what did they consider to be secure? Surely not MS-DOS. What else was there to compare it to?

Re:Just curious here

[heinousjay]

Security is not a zero sum game.

Re:Just curious here

[JourneyExpertApe]

All things are relative.

Re:Just curious here

[ozmanjusri]

What else was there to compare it to?

VMS, OS360.

FYI you can disable it totally too

[The+Seventh+Sign]

under Internet options and security click custom level and find the toggle and select it No more nagging box.

TSS

Is anyone really surprised?

[ErGalvao]

As I've stated before, this is MS default "security" police: ask for confirmation. "Are you sure you want your data in the hands of others?", "Are you sure you want to execute this evil .exe?", "Are you sure you want your hard drive screwed?", and so on...

Funny thing MS don't ask questions like "Are you sure you want an annoying notice saying that your windows is not legal?"

Pathetic... but then again, nothing new on MS front...

kids today

[Clover_Kicker]

If people considered UNIX to be notoriously insecure in 1991, what did they consider to be secure? Surely not MS-DOS. What else was there to compare it to? VMS?

The various IBM mainframe OS choices?

OS/400?

There were a zillion wierd mini architectures/OS combos you could buy in 1991.

In a small room, deep under a hill...

[advocate_one]

NSA rep to his chief "bummocks, now we'll have to find some other way to filch stuff from everybody.... First it was the jpeg hole, now this. OK what holes have we got left?"

Me Too

[cyclomedia]

I developped a spreadsheet-like web app for a firm earlier this year and whilst the pitch was only aimed at IE i cheekily made it FX copatible too (opera came a close third and kinda works). But one of the functions they wanted was the ability to copy/paste data into the table to/from an actual spreadsheet or email. IE's ability to talk to the bopy buffer on demand combined with some cunning tab delimiting of data worked well.

The workaround for FX never got implimented but i was thinking of having a pop up textarea that allows you to paste in (once you've selected your cells and range) and then onchange fires the relevant process. getting copy data out though would be more difficult.

If there were a handy way of capturing the cut/copy/paste event from the keyboard or right click and being able to chat to the copy buffer in that event-time-window then that might be a better solution as otherwise we're just putting up barriers to effective web application development. Especially where the App is designed to be used by non-geeks who are used to copy and paste just working.

No I won't go to your site ..

[rs232]

(Oh, and please fill in my survey for my dissertation!

NO!

was Re:Security settings (Score:-1)

Beware ctfmon.exe

[gmenhorn]

If you do happen to install IE7 (or it gets installed automatically for you by the updated) beware of the process ctfmon.exe. I believe it is used for clear type font stuff but I'm not sure. What I am sure about, though, is that your system will be on the order of 20-30% slower when this process is loaded.