Slashdot Mirror

← Back to Stories (view on slashdot.org)

Clipboard Data Theft Now Optional With IE7

Posted by Zonk on from the options-are-good dept.

An anonymous reader writes "It's been known for a long time that Internet Explorer will happily allow any Web site to steal data that users have recently cut-and-pasted or copied into the Windows 'clipboard' data storage area. Well, now it looks like Microsoft has finally decided that this 'feature' was probably ill-advised, according to The Washington Post's Security Fix blog. IE7 throws up a warning asking whether users really want to let a site filch their clipboard data (Firefox, Opera and most other non-IE browsers forbid this behavior by default)."

13 of 162 comments (clear)

  1. not quite by pchan- · · Score: 5, Insightful

    Firefox, Opera and most other non-IE browsers forbid this behavior by default

    No, they don't forbid. They DON'T IMPLEMENT such a stupid idea. Microsoft had to go out of their way to ADD this "feature".

    1. Re:not quite by Intron · · Score: 4, Funny

      I always cut-n-paste my login information when it has some minimum password length + funny character requirement + no echo. This makes it a lot more convenient to access my bank details from phish sites.

      --
      Intron: the portion of DNA which expresses nothing useful.
    2. Re:not quite by uncommonlygood · · Score: 5, Informative

      Don't know about the others, but firefox definitely does implement it, it's just off by default.

    3. Re:not quite by AchiIIe · · Score: 5, Insightful

      Not so fast. Have you tried using google spreadsheets? Try -- then try selecing something, right click and select "Copy", or "Paste"
      - Whoah, you can't copy paste unless you manually do CTRL-V, or CTRL-X/C

      I gave up on using word/openoffice I simply use writely for all my documents. I've had documents being edited with up to 50 people just fine.
      Think twice before blindly bashing microsoft. There are some of us that want that "feature"

      --
      Nature journal lied in Britannica vs Wikipedia Ask to retrac
  2. Probably? by ifrag · · Score: 5, Insightful

    How is something like this only "probably ill-advised".
    This is beyond complete stupidity. I probably can't even count the number of times I've had security sensitive stuff in the clipboard.

    --
    Fear is the mind killer.
  3. I'm helping! by PingSpike · · Score: 4, Funny

    Internet Explorer:
    Send personal data to unknown source? Click Ok to continue.

  4. Features vs. Security by Kelson · · Score: 5, Insightful
    Microsoft designed IE with features, not features specifically for secure browsing

    Microsoft (and other software companies, but MS gets the most attention for it) spent years working under the paradigm where making things more convenient and/or more powerful for the user was the most important thing you could do to get people to use and buy your product. (Not saying they succeeded at making things convenient, just that it was the goal.) Security was only rarely a concern, because for the most part an attacker (barring the occasional virus-infected floppy) needed physical access to a personal computer to mess with it.

    Two things changed: personal computers are now vastly interconnected. Lots more people have them. Result? Bad guys can attack random machines on the other side of the planet using automated tools. Security is now a major priority.

    Bolting security onto insecure-by-design products has had spotty success. In the last couple of years Microsoft has also tried to make more security-conscious designs...and they've paid for it in complaints when customers lose the convenience of, for example, always running with admin rights.

    1. Re:Features vs. Security by jimlintott · · Score: 4, Insightful

      While I pretty much agree with what you are saying I should point out that this is a web browser we are talking about. Ignorance of connected computers can't apply to a product that requires a connected machine to be useful.

    2. Re:Features vs. Security by Tim+C · · Score: 4, Interesting
      Microsoft (and other software companies, but MS gets the most attention for it) spent years working under the paradigm where making things more convenient and/or more powerful for the user was the most important thing you could do to get people to use and buy your product.


      Don't forget that that includes UNIX; from the preface to O'Reilly's "Practical Unix and Internet Security":

      When the first version of this book appeared in 1991, many people thought that the words "UNIX security" were an oxymoron-two words that appeared to contradict each other, much like the words "jumbo shrimp" or "Congressional action." After all, the ease with which a UNIX guru could break into a system, seize control, and wreak havoc was legendary in the computer community. Some people couldn't even imagine that a computer running UNIX could be made secure.

      The various flavours of UNIX have come a long, long way since 1991. So have MS; but they have had farther to go, started later and have not been travelling nearly as fast. A modern Windows PC in skilled/sensible hands is safe enough, but so many are in less than optimal hands...
      --
      It's official. Most of you are morons.
    3. Re:Features vs. Security by Kelson · · Score: 4, Insightful

      It takes time for people -- and companies -- to adjust. I used the term paradigm deliberately. Even though Microsoft should have considered security more carefully when writing a network client, they were still operating under the paradigm established under the older, less-connected reality.

      IE has been around for a decade. It took until people started massively taking advantage of the security flaws in Windows, IE, Outlook (Express) -- the outbreak of worms and viruses a few years ago -- for Microsoft to adjust to the fact that security was not just something to consider, but might possibly trump the old priorities.

  5. Are both ways fixed? by Target+Drone · · Score: 4, Insightful
    If I read the articles correctly it seems there are 2 ways to access the clipboard data.
    1. Via the javascript windows.clipboard object.
    2. You embed an active-x spreadsheet in your page (which gets installed with office) then java script can call a method to paste the contents of the clipboard into a cell in the spreadsheet.
    Anyone know if both methods are now fixed? The Washington Post article doesn't seem to say.
    1. Re:Are both ways fixed? by lostboy2 · · Score: 4, Informative

      Not "fixed" (as in removed), but apparently you can turn it off in IE4 through IE6.

  6. It seemed like a good idea at the time by Somatic · · Score: 5, Funny
    Public: What on earth would motivate you to implement such a thing?

    MS: It seemed like a good idea at the time.

    Public: In what way did it seem like a good idea?

    MS: Well, maybe not a good idea, but an idea.

    Public: So thinking was involved.

    MS: Well, it was more like inspiration.

    Public: ...

    MS: They throw chairs at us. Help. Please.

    --
    My script don't crash! She crashes, you crashed her!