Slashdot Mirror

← Back to Stories (view on slashdot.org)

Clipboard Data Theft Now Optional With IE7

Posted by Zonk on from the options-are-good dept.

An anonymous reader writes "It's been known for a long time that Internet Explorer will happily allow any Web site to steal data that users have recently cut-and-pasted or copied into the Windows 'clipboard' data storage area. Well, now it looks like Microsoft has finally decided that this 'feature' was probably ill-advised, according to The Washington Post's Security Fix blog. IE7 throws up a warning asking whether users really want to let a site filch their clipboard data (Firefox, Opera and most other non-IE browsers forbid this behavior by default)."

27 of 162 comments (clear)

  1. not quite by pchan- · · Score: 5, Insightful

    Firefox, Opera and most other non-IE browsers forbid this behavior by default

    No, they don't forbid. They DON'T IMPLEMENT such a stupid idea. Microsoft had to go out of their way to ADD this "feature".

    1. Re:not quite by Intron · · Score: 4, Funny

      I always cut-n-paste my login information when it has some minimum password length + funny character requirement + no echo. This makes it a lot more convenient to access my bank details from phish sites.

      --
      Intron: the portion of DNA which expresses nothing useful.
    2. Re:not quite by uncommonlygood · · Score: 5, Informative

      Don't know about the others, but firefox definitely does implement it, it's just off by default.

    3. Re:not quite by AchiIIe · · Score: 5, Insightful

      Not so fast. Have you tried using google spreadsheets? Try -- then try selecing something, right click and select "Copy", or "Paste"
      - Whoah, you can't copy paste unless you manually do CTRL-V, or CTRL-X/C

      I gave up on using word/openoffice I simply use writely for all my documents. I've had documents being edited with up to 50 people just fine.
      Think twice before blindly bashing microsoft. There are some of us that want that "feature"

      --
      Nature journal lied in Britannica vs Wikipedia Ask to retrac
    4. Re:not quite by the_greywolf · · Score: 3, Insightful
      Do people actually USE Javascript in Opera?!

      Yes. I do a significant amount of my testing in Opera 9 and Firefox, and am in fact developing a full-featured RTE based on designMode that currently works in IE, Firefox, Opera 9, and Safari 2.

      It's not a bad browser for rendering CSS layouts, but its JS engine sucks and has always sucked. Basic AJAX ... simply fails with it to the point all the sites I work on actively sniff for Opera and remove Javascript beyond basic rollovers and form validation. This isn't a troll, as I still test CSS layouts with Opera to ensure templates look correct, but I doubt anyone uses it for its scripting capabilities!

      It reads like a troll, since you clearly haven't done much testing with Opera 9. Their DOM implementation is complete through most of level 2, and is in line with Firefox 2. Their new designMode stuff is very complete, with behavior similar to Firefox's Midas. The XMLHTTPRequest stuff that everyone relies on so much now has been well-supported for a very long time.

      The reason Opera doesn't work on so many "AJAXy" applications is, simply, because of the fact that developers with your mentality either do sniffing of the navigator object (which is Wrong, a Bad Thing, bad practise, and just plain idiotic) or are just too shortsighted to see that Opera is improving with every new release (version 8.0 notwithstanding).

      I do the bulk of my Javascript testing now in Firefox, but use Opera 9 as a test environment to verify results. I test in IE only to see what other kinds of idiotic things its half-assed "DOM" implementation does wrong.

      --
      grey wolf
      LET FORTRAN DIE!
    5. Re:not quite by master_p · · Score: 3, Informative

      But copy-paste works locally. When you copy-paste data between your documents, even on the web, javascript puts the data on the local clipboard. Remote apps should not be able to steel data from the local clipboard.

  2. Probably? by ifrag · · Score: 5, Insightful

    How is something like this only "probably ill-advised".
    This is beyond complete stupidity. I probably can't even count the number of times I've had security sensitive stuff in the clipboard.

    --
    Fear is the mind killer.
    1. Re:Probably? by AchiIIe · · Score: 3, Insightful

      Google spreadsheets? - try doing a copy paste between excel and GS. Google documents? - Would you not want to Select - right click - copy? Well, you might want to, but they overwrite the right click to include their own menu -- and guess what, now you can't

      --
      Nature journal lied in Britannica vs Wikipedia Ask to retrac
    2. Re:Probably? by jesser · · Score: 3, Funny

      You're worried that if someone steals your laptop, they might be able to find your email address and spam you?

      --
      The shareholder is always right.
  3. Can't Believe It by endianx · · Score: 3, Insightful

    I had no idea that was possible. I would never have imagined they would do something so stupid, even Microsoft. What other "features" do they have that I don't know about? I fear to think.

  4. Where's Clippy when you need him? by Anonymous Coward · · Score: 3, Funny
    Please PLEASE, let this warning be issued by Clippy. Such a stupid feature necessitates an equally stupid user interface.

    "It looks like h4XX0R5.net would like to see what's on your clipboard."

    /nostalgic for Clippy
  5. I'm helping! by PingSpike · · Score: 4, Funny

    Internet Explorer:
    Send personal data to unknown source? Click Ok to continue.

  6. Comment removed by account_deleted · · Score: 3, Informative

    Comment removed based on user account deletion

  7. Features vs. Security by Kelson · · Score: 5, Insightful
    Microsoft designed IE with features, not features specifically for secure browsing

    Microsoft (and other software companies, but MS gets the most attention for it) spent years working under the paradigm where making things more convenient and/or more powerful for the user was the most important thing you could do to get people to use and buy your product. (Not saying they succeeded at making things convenient, just that it was the goal.) Security was only rarely a concern, because for the most part an attacker (barring the occasional virus-infected floppy) needed physical access to a personal computer to mess with it.

    Two things changed: personal computers are now vastly interconnected. Lots more people have them. Result? Bad guys can attack random machines on the other side of the planet using automated tools. Security is now a major priority.

    Bolting security onto insecure-by-design products has had spotty success. In the last couple of years Microsoft has also tried to make more security-conscious designs...and they've paid for it in complaints when customers lose the convenience of, for example, always running with admin rights.

    1. Re:Features vs. Security by jimlintott · · Score: 4, Insightful

      While I pretty much agree with what you are saying I should point out that this is a web browser we are talking about. Ignorance of connected computers can't apply to a product that requires a connected machine to be useful.

    2. Re:Features vs. Security by Tim+C · · Score: 4, Interesting
      Microsoft (and other software companies, but MS gets the most attention for it) spent years working under the paradigm where making things more convenient and/or more powerful for the user was the most important thing you could do to get people to use and buy your product.


      Don't forget that that includes UNIX; from the preface to O'Reilly's "Practical Unix and Internet Security":

      When the first version of this book appeared in 1991, many people thought that the words "UNIX security" were an oxymoron-two words that appeared to contradict each other, much like the words "jumbo shrimp" or "Congressional action." After all, the ease with which a UNIX guru could break into a system, seize control, and wreak havoc was legendary in the computer community. Some people couldn't even imagine that a computer running UNIX could be made secure.

      The various flavours of UNIX have come a long, long way since 1991. So have MS; but they have had farther to go, started later and have not been travelling nearly as fast. A modern Windows PC in skilled/sensible hands is safe enough, but so many are in less than optimal hands...
      --
      It's official. Most of you are morons.
    3. Re:Features vs. Security by Rob+the+Bold · · Score: 3, Insightful
      A modern Windows PC in skilled/sensible hands is safe enough, but so many are in less than optimal hands...

      I don't disagree with you at all, but I'm compelled to add this:

      The thing is, computers are ubiquitous -- and omnipresent -- these days, and the bulk of them are running MS Windows of some version. They're as common as stereos, but as touchy as a Stradivarius (or a crappy Strad copy). It's not really a valid assumption that all computer users are experts at using computers. They buy them to shop, do embroidery, type phone lists into spreadsheets, watch porn, keep in touch with relatives, etc. They don't want to be computer experts in order to do these things any more than I want to learn to play bass or drums or violin just to listen to some music.

      So if Microsoft wants ordinary people to be able to continue using Windows PCs in a networked world, security has got to be easier. If the only secure computer is one that is managed by an IT Pro, then the potential market for personal computers (and PC operating systems) is only businesses. And that would be bad news for MS.

      --
      I am not a crackpot.
    4. Re:Features vs. Security by dgatwood · · Score: 3, Insightful

      Yes, and that worm and others like it are the primary reason that sendmail only makes up about half of all the mail servers out there (50-60%, depending on whose numbers you believe). You can't call that a security hole in UNIX any more than you can call an IIS security hole a flaw in Windows XP Pro.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    5. Re:Features vs. Security by Kelson · · Score: 4, Insightful

      It takes time for people -- and companies -- to adjust. I used the term paradigm deliberately. Even though Microsoft should have considered security more carefully when writing a network client, they were still operating under the paradigm established under the older, less-connected reality.

      IE has been around for a decade. It took until people started massively taking advantage of the security flaws in Windows, IE, Outlook (Express) -- the outbreak of worms and viruses a few years ago -- for Microsoft to adjust to the fact that security was not just something to consider, but might possibly trump the old priorities.

    6. Re:Features vs. Security by zeugma-amp · · Score: 3, Insightful

      Plus they also tried to turn IE into a platform for intranet applications that *require* more access to the machine than they should have from within a browser.

      You're not kidding. The place where I work has many intranet applications that require IE use, and also require that you eliminate just about every security mechanism that IE has in order for them to work. Siebel is the biggest offender. You practically have to mount a "please hack me" sign on your workstation after you set up IE to make Siebel work.

      --
      This is an ex-parrot!
  8. Are both ways fixed? by Target+Drone · · Score: 4, Insightful
    If I read the articles correctly it seems there are 2 ways to access the clipboard data.
    1. Via the javascript windows.clipboard object.
    2. You embed an active-x spreadsheet in your page (which gets installed with office) then java script can call a method to paste the contents of the clipboard into a cell in the spreadsheet.
    Anyone know if both methods are now fixed? The Washington Post article doesn't seem to say.
    1. Re:Are both ways fixed? by lostboy2 · · Score: 4, Informative

      Not "fixed" (as in removed), but apparently you can turn it off in IE4 through IE6.

  9. There are many clipboards but this one is mine by wumpus188 · · Score: 3, Funny

    yy
    p

  10. It seemed like a good idea at the time by Somatic · · Score: 5, Funny
    Public: What on earth would motivate you to implement such a thing?

    MS: It seemed like a good idea at the time.

    Public: In what way did it seem like a good idea?

    MS: Well, maybe not a good idea, but an idea.

    Public: So thinking was involved.

    MS: Well, it was more like inspiration.

    Public: ...

    MS: They throw chairs at us. Help. Please.

    --
    My script don't crash! She crashes, you crashed her!
  11. Oh Big Whoop by eno2001 · · Score: 3, Funny

    It's not like people are gonna be able to get anything valuable out of the cut and paste buffer. It's like what? 8k max? And how many people cut and paste valuable things like password, credit card numbers, user IDs, and the like anyway. The most any hacker will get would be part of someone's goofy school paper, a portion of an e-male, maybe at worst a URL (GASP!). This is so like a non-issue. As if...

    [SLASHDOT CLIPBOARD IE7 CONTENT DUMP for User eno2001]:

    eno2001 14m431337h4ck3r (419)555-2727
    Look at this later: http://www.iheartfurries.com/

    ub3rsm00vem4l3: So baby... my wife's out of town the whole weekend. Cum over and play?
    SororityBabe6500000: Oh yeah! Let's party!

    Books to read: How to Build a Nukyelar Bomb in Your Basement for Less than the cost of a Washing Machine, Trisexuals are People Too: A Study in Prejudice, How to Win an Election the Easy Way (Diebold Hacking)

    Important investment info: Steve B said I should sell the Novell stock early next week. Remember to tell Feingold ASAP.

    [END SLASHDOT IE7 CLIPBOARD CONTENT DUMP]

    --
    -"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
  12. Security settings-wonderful if you know about them by freeweed · · Score: 3, Insightful

    Does no-one on /. ever go through application settings first?

    Yes.

    Do we even know about, let alone go through all 5,000 braindead security settings that Windows seems to have these days? Hell no. After a while, you have to assume a vendor would do SOMETHING right. This one floored me completely. I thought a dozen open network ports on a home desktop OS was stupid, but this is beyond belief.

    Things like this are why I moved to Linux. It's simply impossible to keep up with every idiotic setting that needs to be changed after a default Windows install.

    --
    Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
  13. kids today by Clover_Kicker · · Score: 3, Insightful

    If people considered UNIX to be notoriously insecure in 1991, what did they consider to be secure? Surely not MS-DOS. What else was there to compare it to? VMS?

    The various IBM mainframe OS choices?

    OS/400?

    There were a zillion wierd mini architectures/OS combos you could buy in 1991.