Adobe Flash Ads Launching Clipboard Hijack Attacks

bullyBEEF writes "Malicious hackers are using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks. In the Web attacks, which affect Mac, Windows, and Linux users running Firefox, IE, and Safari, bad guys are seizing control of the machine's clipboard (probably using the Flash command setClipboard) and inserting a hard-to-delete URL that points to a fake anti-virus program. A number of legitimate sites have been seen to host ads carrying the attack — including Newsweek, Digg, and MSNBC.com. Researcher Aviv Raff offers a harmless demo of how it's done."

Clicked on the flash area in NoScript in the demo

[Derek+Pomery]

But although the flash launched, that wasn't enough to get the attack going.
And given how much it takes for me to do even that, I don't think NoScript users have much to be worried about.

what sort of flash?

"Malicious hackers are using booby-trapped Flash banner ads to hijack clipboards..."

booby flash?

Re:what sort of flash?

No thats happening in Auckland New Zealand
http://www.stuff.co.nz/4662948a11.html

Re:what sort of flash?

Oh, if I only could copy your funny comment into an email for my work colleague, but all that comes out of my clipboard is "http://www.evil.com"... :-(

D'oh, just realised that I am not logged in. Now if I only could copy my comment, log in and post it again... sigh...

Hard to remove?

[TubeSteak]

I closed the demo window and Ctrl-C works as normal

Re:Hard to remove?

[INeededALogin]

I closed the demo window

The average user is not going to know that they have been hijacked and they won't necessarily know which window is doing it. The clipboard hijacker could even wait until you copy a url before modifying it.

Re:Hard to remove?

The clipboard hijacker could even wait until you copy a url before modifying it.

You can't read clipboard content!

Re:Hard to remove?

[Lavene]

I closed the demo window and Ctrl-C works as normal

Imagine that!

(BEWARE: If you click on the demo link, your clipboard is automatically hijacked and will only be released if the browser window is closed).

I know: Jokes about RTFA is sooo old, therefore I won't make any...

Re:Hard to remove?

[budgenator]

what happens is the clipboard is loaded with the url http://www.evil.com/ at the demo site; I'm using Firefox 3.0.1 un Lunux so this is pretty disconcerting to me. The Wife ran into the real deal hijack over on myYearbook,com; she thought she'd be smart and click cancel but that started to loading of the malware!

Re:Hard to remove?

[budgenator]

you can in KDE just open k;ipper, In windows I'd imagine I'd open wordpad and ctrl-v to see what was there.

Re:Hard to remove?

[muffen]

... yea, or you can RTFA and reach the following conclusion.

Demo:
(BEWARE: If you click on the demo link, your clipboard is automatically hijacked and will only be released if the browser window is closed).

Exploit:
From TFA
My clipboard has been hijacked with this:
[ malicious URL deleted ]
And once it's in the clipboard, I can't copy anything else over it until I've restarted the machine.

So basically, real exploit != demo exploit.

Re:Hard to remove?

[Chris+Pimlott]

Congrats. Now imagine that you don't know which window of a dozen well-known webpages has the malicious ad hidden in it.

Re:Hard to remove?

[svank]

But Flash can't open Klipper. I read the GP to say that the malicious Flash program can't read clipboard content to see when you copy a url.

Re:Hard to remove?

Flash has no way to get clipboard contents, so unless javascript can handle clipboard detection, all flash can do is force clipboard to have some malicious value.

Re:Hard to remove?

[scotsghost]

Of course you can. It's called PASTE. It's one of two reasons the clipboard exists. (The other one's called COPY.)

I'd imagine, if you use setClipboard to SET the CLIPBOARD contents (again, that's called COPY), you'd probably use getClipboard to GET whatever's there (and that's PASTE).

Re:Hard to remove?

[budgenator]

I went to the demo site and the url http://evil.com/ appeared in klipper, I cleared the clipboard and the url http://evil.com/ was gone, I went back to the demo site and the url http://evil.com/ was back in the clipboard, so the flash definitely opened the clipboard in Firefox running in Lunux under the KDE 4.0.1 environment; it weirded me out too, I'm not used to things like that happening in Linux.

Re:Hard to remove?

[gnuman99]

It is the *flash* plugin that is accessing your "Linux" (X,KDE,Gnome,etc) clipboard and writing over it. The exploit does NOT care it is running on Linux.

Block ads

[Matt+Perry]

This is yet one more reason why I block all ads.

Re:Block ads

[actionbastard]

"Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles."

"Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdotal Battles."
There, I fixed your sig for you. You're welcome.

Re:Block ads

[stewbacca]

Why not just not click on the ads instead of going through all the ad-blocking run-around "tips" offered in this (and every Flash article) thread? Screw all those ad-ons..I'll just not click the ad.

Re:Block ads

[stewbacca]

Because NOBODY ever uses the word "pedantic" on slashdot to try to sound more smarturer.

Re:Block ads

[redxxx]

1. I don't want to see ads.
2. I don't want ad companies tracking what I do online(either my IP address or allowing them access to my cookie-space).
3. I don't want to expose myself to the possibility of malicious scripts being run.
4. It bugs the heck out of my that marketing folks attempt to control my actions without me being aware of it, which is the point of 'building a brand' via advertising.
5. They make use of resources(time, bandwidth, memory, HDD space for caching) that I'd rather use for other things.
6. I really don't want to see ads.

Re:Block ads

[stewbacca]

1- I understand.

2&3-Non-issues if you don't actually click the ads (besides, Google is already tracking you anyway). And if you don't run WindowsBrand, you are most likely fine, since most of those schemes are targeted at, and only work if you are using Windows

4- You should just be better than them. If you live in the US, you are bombarded by intellect-insulting advertising all day/every day. Blocking a few of them on your web browser is a very very small victory (one battle in a huge war).

5- If you have a modern machine and a broadband connection, this is hardly an issue. If you are mucking about with your system to avoid these ads, then you've already lost in the "time" category

6-Neither do I, but like I said, I don't feel the need to run through all the hoops required to block something that has such a minimal impact on my life that it isn't worth my time. Now if these browser came with all this stuff pre-configured, THAT would be well worth my time.

flashblock

[owlnation]

as though we really need yet another reason to use flashblock...

This one small piece of technology has made browsing the web bearable again. I can't ever thank its developers enough.

Re:flashblock

[corsec67]

I got a step further, and have a primary browser that doesn't have flash installed, and then a second browser with flash and flashblock, for the rare time when I actually want to watch a flash video.

Re:flashblock

[enoz]

You could just create multiple profiles in Firefox, and then load the secondary profile with "-no-remote" so that it doesn't intercept any URLs or clicks that would normally load in your primary browser.

Re:flashblock

[smittyoneeach]

This is /., where over-engineering would be considered a virtue if laziness hadn't won out.

Re:flashblock

[maxume]

Why?

If you do it that way so that people think you don't have flash installed, you should realize that no one cares if you have flash installed or not (putting it another way, the few people who are actually looking at the installed base when they consider using flash are making their decisions based on the enormous majority that does have flashed installed, not based on the puny minority that does not have flashed installed).

Re:flashblock

[FictionPimp]

I have talked quite a few companies out of using flash while consulting for them. I have used many legitimate reasons. Accessibility for the disabled, backwards compatibility, not using a business model dependent on a 3rd parties proprietary software, and the general annoyance of most users when they encounter a flash based website. I have found that a nice clean site developed with good web standards can do 99% of what most people want to do with flash. It will fail better on older browsers, it will load faster (in most cases), and it will be more usable by the customer with the least amount of work (larger fonts, screen readers, alternate color schemes, opening windows in new tabs, bookmarking, etc).

IMHO, companies that choose to use flash do so because they don't have the resources to see there are better choices AND they already know flash.

Re:flashblock

[unlametheweak]

That reminds me of the 1990's when JavaScript and pop-up ads were very popular. Most people had dial-up Internet access back then and would cancel out of a pop-up ad before it even loaded. About 5 or 6 years later I read a story on ZDNet that companies were starting to re-think their use of pop-up ads because they found that a lot of people cancel out of them before they finish loading. It's a shame that business leaders and Managers need consultants to tell them what everybody else already knows about bad technology and bad business practices.

Re:flashblock

[gstoddart]

You could just create multiple profiles in Firefox, and then load the secondary profile with "-no-remote" so that it doesn't intercept any URLs or clicks that would normally load in your primary browser.

But, you still can't (AFAIK) run two instances of the browser running under different profiles at the same time. Sometimes it would be nice to have 2 different profiles running at the same time so you could go to sites you trust in one, and sites you don't in another.

Now, I'm perfectly willing to be told I'm wrong (in fact, if someone can I'd love to know how), but I have yet to find a way to have two profiles of Firefox running under Windows at the same time in the same Windows session. It would be nice to copy a link from a trusted site into a browser set up to not trust anyone and be in a very locked down mode.

For me, I would find that to be a useful feature -- two browsers with two profiles, and as long as the two have distinct visual settings, you can have the best of both worlds.

Cheers

Re:flashblock

[Gerzel]

Flash is a good tool for certain purposes and can often add quite a bit to many websites, but the problem comes when they base their entire website on Flash.

I've been in a collegiate course where the end assignment was to build a website and we were generally todo it in flash, and I know a lot of others that teach flash. Now the course I took wasn't a web-development course(at least not directly it was about the over-all design and not the tools used) and didn't have time to teach nor the prerequisite of knowing html so flash was the most expedient option.

Re:flashblock

[Mahjub+Sa'aden]

Also, I doubt the massive population of Linux users running IE and Safari are going to be affected.

Re:flashblock

[FictionPimp]

I've seen good flash work. For example there was a drum kit builder I ran across where you could select drums, change colors, locations, etc. It was done really well and would of been a messy project to do with javascript. Another great example might be a 3d view of a car that lets you adjust options via a menu system.

I'm also a fan of flash games. It lowers the level of entry for game writers and performs well. However, most of the flash people want to do seems to be in places where it simply does not belong. For example site navigation, or content.

I remember trying to look up local car dealerships in my area to buy a new car. I couldn't stand how every site needed to pre-load, play music (with no option to turn off) and animate with sound every single content switch. I just wanted to look at what was on their lot, I wanted to open up the items I was interested in on separate tabs so I could compare them. The experience was so horrible I ended up just visiting the dealers (of course maybe that was their idea....)

Re:flashblock

[spisska]

But, you still can't (AFAIK) run two instances of the browser running under different profiles at the same time.

Sure you can. Just fire up your favorite terminal, use su user2 to switch to another user account, and launch Firefox from there.

If you're using Ubuntu, you may have to run the command xhost +LOCAL: from your primary user account to let other non network users access the display.

Two separate browsers, two separate users, two profiles, two caches, two home directories, etc.

You can cut and paste URLs, and even drag tabs from one to the other.

but I have yet to find a way to have two profiles of Firefox running under Windows at the same time in the same Windows session.

Ah. I see. Well, the first step is to get an operating system that properly deals with multiple and non-admin users.

Re:flashblock

[__aawavt7683]

Console:

firefox -ProfileManager --no-remote

This will bring up a profile window, and you can choose which profile you want to use. Only browser sessions after the first must use --no-remote, but it must be there on all but the first.

I find it very convenient to run two firefox sessions -- one on my local computer, one on a USB key...

-DrkShadow

Re:flashblock

We over-engineer from the start so that we can be lazy for a longer period of time. Give them what they want, engineer in what you think they will ask for later, and it's several, "Hey can we add this..." before there is much work to be done.

Re:flashblock

[JayGuerette]

But, you still can't (AFAIK) run two instances of the browser running under different profiles at the same time. Sometimes it would be nice to have 2 different profiles running at the same time so you could go to sites you trust in one, and sites you don't in another.

Now, I'm perfectly willing to be told I'm wrong (in fact, if someone can I'd love to know how), but I have yet to find a way to have two profiles of Firefox running under Windows at the same time in the same Windows session.

Yes, you are completely wrong. My wife and I have discrete Firefox profiles on one computer, and often have 2 browser windows open, one on each profile. She has her own plugins, preferences, bookmarks, & history; and I have mine. Use the profile manager to create the profiles, add "-no-remote -p profilename" to a shortcut, and you're good to go. There was a plugin for FF2 called FireTitle, that allowed us to put our profile names in the window title, but alas it's not been updated for FF3.

Re:flashblock

[arotenbe]

Ah. I see. Well, the first step is to get an operating system that properly deals with multiple and non-admin users.

*cough* Run As *cough*

Of course, it's a dumb solution anyway...

Re:flashblock

in windows, use runas (from a command prompt for context menu).

a nice feature of runas is that you don't need to bother with --no-remote -P.

note that generally X11 sessions can communicate with eachother even if they aren't the same user.
At least, when I do ssh -X myuser@something from a coworker's computer, I need to do firefox --no-remote -P
otherwise my firefox will just talk to his firefox.

Re:flashblock

[Atlantis-Rising]

That's not really a solution to his problem, though.

Yes, in Windows you can also use the equivalent of sudo to gain access to another user session on a per process basis, but that's not really what he appears to desire; rather, he wants the ability to launch separate processes in separate security contexts for the same user.

Re:flashblock

[black_lbi]

as though we really need yet another reason to use flashblock...

I've checked the demo, and although the flash is blocked, it initially modifies my clipboard content. But I can use ctrl-c to replace it with something else. If the flash isn't blocked, ctrl-c is useless.
So flashblock kinda helps you, but you're still vulnerable.

Re:flashblock

I couldn't agree with you more.

I'm a Flash/Flex developer and everytime I get hired at a new company I hear them describing this brilliant new startup idea "all in flash! all in flex! with papervision and OMG PONIES!!" I die a little on the inside.

But it pays well.

I still hate the technology though.

Re:flashblock

[enoz]

Bingo, and you can also specify the profile name on the command line to bypass the profile popup (or if you wish to make a shortcut icon to it).

And there we have it, multiple browser processes running with discrete profiles, all without switching users or sudo'ing.

Note, I can't remember my exact command but according to the documentation the -no-remote option has a single preceeding dash: http://kb.mozillazine.org/Command_line_arguments

Re:flashblock

[enoz]

Try this for overriding an incompatible extension:

Open the .xpi as a zip file and extract install.rdf

Edit the em:maxVersion tag and set to 3.*, or whatever version you want it valid until.

Insert the updated install.rdf into the .xpi and install into Firefox.

Check that it doesn't implode.

Enjoy.

I have successfully used this with several extensions, YMMV.

Re:flashblock

[Virtual_Raider]

For me, I would find that to be a useful feature -- two browsers with two profiles, and as long as the two have distinct visual settings, you can have the best of both worlds.

Cheers

You may want to give my approach a go. I have Sandboxie installed and I run firefox sandboxed by default. To run it unsandboxed I have a batch that launches it, so I'm aware I'm doing something "unsafe". There is an option to allow the sandboxed browser to directly access your favorites, so even if you empty the sandbox whatever you bookmarked remains.

That alone should stop most attacks, but if you want to be even more paranoid you can also install SysInternals' tools. They come with a wonderful little tool called psexec that will allow you to launch any process as a limited user like this: psexec -ld firefox.exe The "-ld" switches mean '[l]imited' and '[d]ont wait for process to end'.

So the sandboxed firefox (and IE, for the work-related or other odd sites that demand it) also run as limited users. In fact you can use the windows START command in your sandboxed batch file to run them in high priority ( START "annoying mandatory title" /HIGH "psexec -ld c:\prog~1\mozilla\firefox.exe" ) and your browsing experience should be a blazingly fast and safe ;)

Re:flashblock

Another good reason to persuade companies: They don't have to redo the site for iPhones, or any of the other upcoming mobile internet devices which may or may not support Flash.

Re:flashblock

[jacquesm]

the only use I can find for flash is to be able to use their audio/video codec, it's installed on so many clients and platforms that it's by far the easiest route.

Other than that it can't die out fast enough for me.

Re:flashblock

[jacquesm]

Talk about selling your soul to the devil :)

No need to post it AC though, we won't tell. Promise.

Re:flashblock

[jesterpilot]

Companies use flash because it's a weapon against adblockers. It ties form & content together. With webstandards, users have the power to decide which parts of a website they want to see and which not. Many companies, especially advertisers, don't like that.

That is the problem of webstandards. They put the user in the drivers seat. They are good for you and not for the advertisers.

Re:flashblock

[OshMan]

Granted that flash is often used gratuitously but deriding all companies using it is really over the top. There has been a long painful march toward delivering "Rich Internet Applications" starting back before Java AWT and Swing. Ajax while having shown the possibilities for RIA's, with apps like Gmail, is a chaotic wilderness of home spun and cross browser nightmares. Adobe's Flex a technology built on top of flash is becoming a very powerful and cross browser compatible alternative for making highly interactive and dynamic interfaces. Ignore it at your career's peril.

Re:flashblock

[jamienk]

Flashblock DOES block the attack for me...

Re:flashblock

Now that's awesome, and is an appropriate use of flash. I can even understand why some ads are done in flash. However, when your homepage is a flash script even with or without "buttons" that are blended into the background, I have a different opinion entirely.

Re:flashblock

[Hatta]

As a general rule, anything that works well in Flash would be even better as a native application. Flash really has no place anywhere. When it's used for web navigation, it sucks worse than html+javascript. When it's used for applications, it sucks worse than a native application.

Re:flashblock

[FictionPimp]

I keep hearing about all this cross browser stuff. Yet everything I write just seems to work in every major browser without any issues. I guess it all comes down to the developer.

For most of my ajax work I have started using JQuery. It is powerful and has a nice feel to it. Everything you do with it works on all major browsers. I of course design my sites to function first without any javascript or css, then I tack the javascript on top to add that level of 'cool' the customer wants. You can't do that with flash. The desginer decided red text on a green background was the way to go, well with flash you are screwed if you are red/green colorblind. With html/css/javascript, this is no issue. Are you nearly blind and the developer thought 8pt font was good for the content? Well you better hope he decided to give you a button in flash to grow the font, because you are screwed. Unless it was done using html/css, then it is a simple matter of using the browser to increase the font size. What if you are totally blind? Are there even flash screen readers out there?

It is not that I ignore the solutions. I understand them and I've even done work with them. However, I have found that in 99% of the cases the uses is a bad choice. It adds un-needed complexity, development time, and a whole range of issues. When I develop a website I can tell my clients that if the customer goes to the site with IE6/7/8, firefox 2/3, safari, iphones, opera, links, etc that it will work. I only have to do the work once and without the user having to install anything or have the latest versions of anything. This decreases my costs and the clients costs. With flash I can not do that, I have to do the work multiple times, once in flash, once in html/css/javascript.

This reminds me of the time I was told I needed to get with the asp/asp.net world because php/java was dying for web work. As long as I can keep showing good technical reasons for using the technology I use AND keep the costs cheaper then the proprietary alternatives, I'm going to win the job.

Re:flashblock

[gnuman99]

I'm sorry? You lost me at "This is /., where..." then I kind of went to the next comment. Your's read like TFA - damn long!

Re:flashblock

[jc42]

As a general rule, anything that works well in Flash would be even better as a native application.

Not necessarily. I'm typing this on a 4-year-old Mac Powerbook. If I look at sites like youtube, the videos work fine. But if I save the videos to disk (e.g. vie Downloadhelper), and run them with the SWF&FLV Player (which seems to be the only thing I've found that will run .flv files on this Mac), they are nearly unwatchable. Even if I close down all the other running apps to give SWF&FLV Player most of the !GB of memory and all the CPU, it still stumbles and skips a couple times per second. But if I view the same flash video in any of the dozen browsers I have installed, it works fine in all of them, even with other apps using 3/4 of the memory and half the cpu.

Perhaps there's a program that can actually play .flv files as well as the browsers can, but I haven't been able to find it.

Funny thing is that I solved the problem of running .flv files locally by writing my own web page that takes a file://... URL and runs the local file inside the browser. That works even better than sites like youtube, because it doesn't have the occasional pause due to network delays.

Another funny thing is that I mentioned this a couple of years ago on a tech mailing list, and got several explanations why what I did is probably a violation of all sorts of licenses, trademarks, copyrights, etc. It's a funny world.

confirmed on mac os x 10.5.4

[v1]

it copied "http://www.evil.com/ to my clipboard. Any app I pasted into pasted that url. I tried many apps to copy something to the clipboard but it remained evil.

The article says in one place you have to restart, and in another you have to close your browser window. I found that closing safari was not sufficient, and I had to quit safari to successfully copy different data into my clipboard with other apps.

Re:confirmed on mac os x 10.5.4

[ScentCone]

confirmed on mac os x 10.5.4

I'm sorry, but you're using a Mac and anything like this is completely impossible. Why do you hate Mac users, that you would say such a disturbing thing? You are mean.

Re:confirmed on mac os x 10.5.4

[Mr.+Marabou+Man]

Yeah ? Interesting. On my setups (Firefox 3.0.1 on Slackware & Tiger, Safari 3.1.2 on Tiger), closing the tab is sufficient to make it go away. YMMV, obviously.

Re:confirmed on mac os x 10.5.4

[azav]

Since Flash files are easily unptrotected and opened up, it would be interesting to see how this is happening. I'll bet that the flash file populates the clipboard several times a second as the flash frame advances. I'm interested how this flash movie stays in memory and keeps running. I seems like it attaches to something to keep its instance running.

Re:confirmed on mac os x 10.5.4

[wtfispcloadletter]

In Windows I just had to put something else in the clipboard. Wrote some text, highlighted it, Ctrl+C, done.

Re:confirmed on mac os x 10.5.4

I copied something in notepad++ and had no problems.

Re:confirmed on mac os x 10.5.4

[pushing-robot]

Here on 10.5.4/Safari 3.1.2, closing the browser window/tab or simply navigating to another page fixes it.

Still, it's disturbing that a web site can copy data to the clipboard without permission. Browser makers need to make plugin content opt-in (a la flashblock), or at least run plugins in a very limited sandbox until the user requests otherwise.

Re:confirmed on mac os x 10.5.4

[davolfman]

Ctrl-c with text selected seems to do the trick for windows with me.

Re:confirmed on mac os x 10.5.4

[fluffman86]

ditto. closing the tab in firefox 3.0.1 on Ubuntu 8.04 works for me.

Re:confirmed on mac os x 10.5.4

[fermion]

Honestly, when Apple put out Safari without a built in flash blocker, it spelt the beginning of the end. Apple now, like MS, treats users as a means to generate a long term profit stream, not like a customer who paid a huge amount of money for a machine and expects to be treated as a customer.

Fortunately there is camino. Unfortunately most people don't use it. Flash is really enemy #1 in terms of security, and it would be nice if Adobe would build in a mandatory stop/start button into the specification. Fortunately, there is still no flash on the iPhone, and if we are lucky there never will be.

Re:confirmed on mac os x 10.5.4

[Ethanol-fueled]

He must be using one of those Psystar thingies, and we all know those aren't Macs.

No, they're not.

Re:confirmed on mac os x 10.5.4

[jcr]

Honestly, when Apple put out Safari without a built in flash blocker,

Go to Safari Preferences, select the security tab and uncheck the "Enable plug-ins" box.

-jcr

Re:confirmed on mac os x 10.5.4

It is not Mac's fault Adobe totally fucked up Flash. I blame PC!

Re:confirmed on mac os x 10.5.4

Fortunately, there is still no flash on the iPhone, and if we are lucky there never will be.

Why does it matter? You can't copy and paste on an iPhone anyways! :P

Re:confirmed on mac os x 10.5.4

[marxmarv]

How would you run plugins in a sandbox without running them in a VM? And then, what's the point of the plugin if it isn't native code? Plugins do exactly what they should. Blame the plugin authors for being so obnoxious and presumptive.

Re:confirmed on mac os x 10.5.4

[mr_mischief]

Closing just the tab worked for me on these browsers on Mandriva:

Firefox 3.0.1 (from Mozilla's site)
Firefox 2.0.0.16 (from the repository).
Opera 9.50 (from Opera's site)

Too lazy right now to fire up Windows or Mac.

Re:confirmed on mac os x 10.5.4

[FictionPimp]

I'd love to use Camino. I need foxmarks, firebug, something like 'distrust' and stumble. Give me that and I'd switch in a heart beat.

Re:confirmed on mac os x 10.5.4

[DustyShadow]

same for me in windows. firefox 3.0.1

Re:confirmed on mac os x 10.5.4

Not only that, but when going to the page in Mac your computer actually becomes _more_ secure. Because it's a mac.

Re:confirmed on mac os x 10.5.4

[quacking+duck]

Closing the Safari window let me copy something else into the clipboard. Didn't need to quit it, let alone restart the computer.

I wonder if it depends on the version of Flash you have installed too?

Re:confirmed on mac os x 10.5.4

[Machtyn]

Have you not seen TinyURL? When you create a TinyURL, it copies the addy to the clipboard. It's a feature I find very useful. Although, I use the firefox plugin now instead of their direct website.

Re:confirmed on mac os x 10.5.4

[amsr]

Yeah it looks like I can get around it by@*&^^^ Thread 0 Crashed: ...com.macromedia.Flash Player.plugin...

Re:confirmed on mac os x 10.5.4

[martinw89]

I didn't even have to close the tab, just going to another page made the clipboard go back to normal behaviour (ctrl-c / ctrl-v flavour and middle click flavour both) on Ubuntu 8.04.1 / Firefox 3.01. And the script didn't even work until I let it through NoScript. However, to the exploit's credit I often will allow all for credible pages.

Re:confirmed on mac os x 10.5.4

[falconwolf]

it copied "http://www.evil.com/ to my clipboard. Any app I pasted into pasted that url. I tried many apps to copy something to the clipboard but it remained evil.

The article says in one place you have to restart, and in another you have to close your browser window. I found that closing safari was not sufficient, and I had to quit safari to successfully copy different data into my clipboard with other apps.

Using Firefox quiting wasn't enough, but logging out of the user then logging back in worked. That's another good reason to have a non superuser, non admin user user profile.

Falcon

Re:confirmed on mac os x 10.5.4

[poptones]

I just press the little launcher I made that kills npviewer.

Bang, done.

Re:confirmed on mac os x 10.5.4

Shit yeah, FF 3.0.1 on slack here, same behavior. Slack rocks. (and FF).

Re:confirmed on mac os x 10.5.4

[I'm+Don+Giovanni]

"Apple now, like MS, treats users as a means to generate a long term profit stream, not like a customer who paid a huge amount of money for a machine and expects to be treated as a customer."

What do you mean, Apple is "now" acting this way? Apple's always been like this. This is the company that for years actually charged users for the ability to watch videos at full screen with QuickTime player. Apple's never been an altruistic saint by any stretch of the imagination.

Re:confirmed on mac os x 10.5.4

[falconwolf]

On my setups (Firefox 3.0.1 on Slackware & Tiger, Safari 3.1.2 on Tiger), closing the tab is sufficient to make it go away.

My setup is Firefox 2.0.0.6 running on 10.4.11 and I had to logout of my user account then log back in. Simply quiting Firefox didn't work.

Falcon

Re:confirmed on mac os x 10.5.4

[reachinmark]

Actually, all you need to do is ensure that the .SWF file gets unloaded - i.e. go to another page. While I haven't pried into the demo in any details, you can be fairly sure that all the Flash code is doing is repeatedly setting the clipboard to the same URL as often as it can: probably 30hz or so, which is quick enough for you not to be able to copy and paste something else without it getting there and screwing up the clipboard first.

Re:confirmed on mac os x 10.5.4

[Tragek]

On leopard, with iClip, iclip crashed, then the whole thing locked.

Re:confirmed on mac os x 10.5.4

[zx-15]

This thing works on Debian Testing /Iceweasel & Conqueror. It affects Ctrl+C, Ctrl+V options, but doesn't seem to affect unix type of copy/paste - when you select text to copy, and paste it using middle mouse button.

Re:confirmed on mac os x 10.5.4

[grishnav]

Firefox 2.0.0.16 on Windows XP SP2. Confirmed. Closing the tab makes it stop. Using TrayClip to monitor the clipboard, I can see it updates every 3-4 seconds.

Re:confirmed on mac os x 10.5.4

Closing the tab worked for me too (Firefox 3.0.1 on Ubuntu 8.04). And I had to specifically click the thing to enable it in NoScript. Of course, noscript's enableclipboard switch was set (by default) to off, so clearly that stops when you choose to allow an application. Any chance they'll fix that (or add another switch)?

Re:confirmed on mac os x 10.5.4

[maypull]

Yup, simply closing the tab also works in Camino 1.6.3 on Leopard.

Re:confirmed on mac os x 10.5.4

[PhilHibbs]

I can confirm that the demo updates the clipboard constantly, approximately 120 times a second on my machine. Here's my perl code (Windows only, sorry):

use Win32::Clipboard;
my $CLIP = Win32::Clipboard();
$CLIP->WaitForChange();

while ( 0 ) {
    $CLIP->WaitForChange();
    print localtime()."\n";
}

Re:confirmed on mac os x 10.5.4

[Der+PC]

10.5.4 here, and closing the browser window was sufficient.

Re:confirmed on mac os x 10.5.4

Seems to be the same case on my FF3.0.1 on Windows too! Close the tab, and I can copy/cut something else into the clipboard. Whats the fuss?

Re:confirmed on mac os x 10.5.4

[JayJay.br]

I can confirm it kinda works with WindowsXP and Firefox3. It copies "http://www.evil.com/" to the clipboard, but a simple Ctrl+C anywhere else after closing the tab (only the tab) overwrites it.

No browser / computer restarting necessary.

Re:confirmed on mac os x 10.5.4

[TomorrowPlusX]

For what it's worth, once I closed the demo window in Camino, my clipboard was fine. Chalk one up for Camino!

Re:confirmed on mac os x 10.5.4

[InvisiBill]

Closing the tab works for me too. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1

Re:confirmed on mac os x 10.5.4

[csartanis]

Did you copy some other text?

Re:confirmed on mac os x 10.5.4

[foniksonik]

hmm I've got 10.5.5 and all i had to do to get rid of it was copy the /. url in my bowser and it switched to that... ie not persistent

I don't care enough to recreate your experiment (just enough to respond..) so YMMV apparently

Re:confirmed on mac os x 10.5.4

[RemyBR]

Same here. Closing the tab in FF 3.0.1 in Vista gives me back control over the clipboard.

Re:confirmed on mac os x 10.5.4

clearing my browser cache liberated my clipboard (mac running firefox)

Re:confirmed on mac os x 10.5.4

[Ilgaz]

Sad thing is, I can confirm this too with 10.5.4 and... Flash player 10 release candidate beta.

Re:confirmed on mac os x 10.5.4

Did I have wacky mushrooms on my pizza at lunchtime, or am I the only one who's experienced the problem going away once they navigated away from the malicious page?

I've done this with IE and Firefox on my crappy XP box. My Linux box is experiencing hardware issues, otherwise I would have tried it out there as well.

Re:confirmed on mac os x 10.5.4

Opera browser seems ok

evil.com url copied to clipboard by the harmless demo page but copying/pasting other text to the clipboard is ok.

Re:confirmed on mac os x 10.5.4

Sorry, Opera is affected as long as the demo code is open in a tab. Closing the tab makes the 'exploit' go away.

Re:confirmed on mac os x 10.5.4

Closing the tab on FF 2.0.0.16 on WinXP prof. is not enough for me. See: *hits CTRL-v* http://www.evil.com

And yes, I am ashamed that I have to use Windows XP. It's my work laptop and until somebody writes a Checkpoint GUI for Linux I am stuck with it.

Also, I realized that I am not logged in but since I can't copy and paste my own post now, AC will have to be sufficient but I could not have written the Checkpoint GUI part logged in anyway.

Re:confirmed on mac os x 10.5.4

The issue is not permanently turning of flash. If I wanted to do that I would just uninstall flash. The issue is the ability to selectively accept content. This requires a modification of flash to allow an on and off switch.

Even more interesting is the fact that any time a midly denigrating comment about apple is posted, it invariably gets modded down as a flame or a troll. I never believed in the cult of Apple, but this pretty much has changed my opnion. There are clearly a bunch of irrational people out there who can't handle civilized conversation.

AKERT THE PRESSES!

I can't copy/paste my links to porn anymore!

I would login to post a comment....

But I can't get http://www.evil.com out of my clipboard now to use my password manager.

It may not be this

But there is something going on with ads and the page load for slashdot.

Re:It may not be this

[riceboy50]

If you are using FF3 and beta Firebug, then you are probably seeing the DOM corruption bug that I see when ads are inserting into the DOM. The symptom is that the whole page disappears except for that ad. I've seen this behavior on several sites, including /. I haven't figured out a remedy yet except to disable Firebug, and we all know that's not going to happen!

Re:It may not be this

[mr_mischief]

You can disable Firebug or just certain Firebug panels for particular web sites if you're using one of the more recent versions.

Re:It may not be this

[riceboy50]

Yeah, I know. I saw that they released an update today, which I'm not sure if it addresses the issue or not, but it was happening to me if the extension was enabled at all—regardless of whether I had the panels enabled or not.

Re:It may not be this

[riceboy50]

UPDATE: Nope, the update didn't fix it. :/

Write Filter = Best Antivirus

[Z34107]

Good thing my laptop runs EWF drivers. Any changes made to the C volume (a solid state drive) made in memory instead. Everything works like you'd expect it to - delete a file and it's gone - until you reboot, that is, and all of your in-memory changes are discarded.

I'd like to see XP Antivirus Pro 2008 thoroughly embed its tendrils... and then survive a restart. No changes are committed unless I manually force it.

Considering that Circuit City will sell you a PC with 6 GB of RAM for $999, I wonder why EWF isn't a standard feature. Probably because somebody would forget that defragging your hard disk would exhaust available RAM and then die, or wonder where that program they just installed went after they rebooted...

Linux has a similar filesystem, I believe it's used for boot CDs. It pairs the read-only volume with a RAM drive, and all writes are cached there and discarded.

Re:Write Filter = Best Antivirus

[QuantumG]

Normal people like to write to their hard disk.

a PC with 6GB of RAM for $999? Really? That's funny, I don't see a shop by option for 6GB.

Re:Write Filter = Best Antivirus

[bgerlich]

Try searching in desktops, laptop is not the only option in most stores ... yet.

Re:Write Filter = Best Antivirus

[x2A]

"a PC with 6GB of RAM for $999? Really? That's funny"

That's not funny. Funny would involve the computer coming from a man walking into a bar after crossing the road on a chicken, or asking many of those 6gigs of RAM it would take to change a lightbulb. There's no chickens involved here, and definitely no light bulb. I deduce that you're using sarcasm, maybe to convey the idea that you don't believe you can get a computer out of 'em with 6gig RAM... am I right?

Re:Write Filter = Best Antivirus

[QuantumG]

Ahh, good point. Thanks. There's even a $699 desktop there. No monitor of course.

Re:Write Filter = Best Antivirus

[Jah-Wren+Ryel]

Good thing my laptop runs EWF drivers.

Earth, Wind and Fire? So are you running the "Time is on Your Side" edition or maybe, "They Don't See [the disk writes]" version?

Re:Write Filter = Best Antivirus

[sabit666]

It's called UnionFS. Someone was kind enough to develop a FUSE version of UnionFS so we can use it without recompiling kernel.

Re:Write Filter = Best Antivirus

[WK2]

So, basically, writing to your hard drive is twice as hard as it is on a normal computer? And you call that a feature that should be installed by default?

Your original problem is that have programs installed that do stuff to your computer that you don't want. And your solution is an extra layer that those programs are not designed to penetrate. There are two problems with having such software installed by default:
a) it would be twice as hard to do stuff. I'm sure you realize this, and have already gotten used to it, and accept it.
b) if this software became popular, then any malicious, or just poorly behaved software that does stuff you don't want, such as write to the hard disk, will write to the hard disk as normal, and then penetrate your extra layer of obscurity to actually write to the hard disk. Programmers would be somewhat inconvenienced, and would have to use special libraries for writing to the hard disk, and users would be annoyed.

This EWF software you speak of is for a niche market, and would fail for everybody if it became popular. It's sort of how Linux doesn't have many viruses. Except Linux not having viruses is a side effect, and there are plenty of other reasons to use Linux if it became popular and malware authors decided to target it, whereas your software would fail if it became popular, and malware authors targetted it.

It's kind of like how the Windows outgoing firewall is useless. Every piece of malware knows to put themselves on that whitelist. Whereas if you use a software firewall that is not installed by default, then chances are good that the malware author didn't spend time on bypassing that one.

Re:Write Filter = Best Antivirus

[assassinator42]

I'm assuming Microsoft uses EWF for their free Windows Disk Protection software. It uses the disk rather than the memory for the cache, though. Which makes more sense IMO, as you're expecting to write to disk anyway and you have much more disk space than memory space available.
I'm assuming this still doesn't protect you if the malicious code gains administrative privileges though.

Re:Write Filter = Best Antivirus

Linux has a similar filesystem, I believe it's used for boot CDs. It pairs the read-only volume with a RAM drive, and all writes are cached there and discarded.

UnionFS works great for this. I work on an embedded Linux device, and use a SquashFS root on a 8MB NOR flash chip, with a union-mounted TmpFS filesystem on top. When release firmware ships, only the SquashFS base is ever used, so memory is free for apps. But for development, it's really convenient to be able to throw on a big file temporarily, try things out, then just hit the reset switch to wipe things back to a default state.

I've seen a couple of bootable CD distros that use this same combo (SquashFS + TmpFS via UnionFS). The even more interesting possibilities involve a read-only CD or DVD + a USB keyfob, which provides a non-volatile overlay.

Re:Write Filter = Best Antivirus

[SirMeliot]

No no no no!

EWF != malware protection.

If the filter gets flushed to disk (maybe you apply an update to something), the malware gets fulshed too. Plus Microsoft provide a nice API to EWF so if the malware author wants to, all he has to do is load the EWF dll and make a single call and he's in there forever!

Even if the malware isn't flushed there's nothing to prevent you picking it up again next boot.

Re:Write Filter = Best Antivirus

[Ex-Linux-Fanboy]

A version of the same idea that is designed to stop malware is Deep Freeze. We use it for a small lab I administer at a school and, in combination with only allowing students to use non-admin accounts, stops malware cold.

- Sam

This is why I block ads...

And, also, they're annoying.

Yes, its annoying

[QuantumG]

But I fail to see how you can leverage this to gain privs.

If that's possible, then maybe that should be the subject of the article.

Re:Yes, its annoying

[larry+bagina]

the idea is that eventually, you'll copy/paste a url into your browser bar (or maybe an outgoing email).

Re:Yes, its annoying

[QuantumG]

Umm.. yeah, and then you'll say "sure, install this program I didn't even ask to install". If that's something to be worried about then no amount of "security" is going to protect these people.

Re:Yes, its annoying

[slashqwerty]

But I fail to see how you can leverage this to gain privs.

I suppose it would be possible to populate the clipboard with corrupted contents, perhaps a string of XML that another app would try to consume. If that other app, designed strictly for desktop use, has a vulnerability in the way it processes said XML an attacker may be able to gain privileges. It's possible such an app will examine the clipboard contents just to determine if it should enable the Paste menu. Which means you could be vulnerable even though you never paste from the clipboard.

Re:Yes, its annoying

[x2A]

"no amount of "security" is going to protect these people"

Protect them? Protect us! They get their machines infected, they become latest members of bot nets, flood our mailboxes with spam, his the servers we use with ddos attacks... no we can't protect 100%, but it's in all of our best interests to try, and close off any avenues of attack that we can.

Re:Yes, its annoying

[QuantumG]

"Download this exe and run it for me, I've put the url in your clipboard for you".. exactly what would you have the security community do?

Re:Yes, its annoying

[mr_mischief]

Considering there are websites out there that can own a Windows PC just by having someone visit a page with IE, I'd say this is a pretty good attack vector. You might not get many, but you'll get some who copy and paste a URL or accidentally paste it into an email instead of the string they meant and not notice until they've hit enter or clicked send.

Re:Yes, its annoying

[x2A]

You can't figure out a simple solution? Like, have the banner ad companies screen for flash commands that shouldn't be needed for simple ads, like setClipboard?

Even if I don't paste the url into my browser and run whatever's on that webpage, I don't want something wiping whatever I have in the clipboard at the time... which would be why I have 'allow clipboard access' disabled in my browser javascript settings, I'd be very annoyed if sites are pushing ads that sneak around this, and if I was employing these companies to provide ads for my sites, I'd be annoyed with them for annoying my users in such a way. After all, I'm entrusting space on my pages to them. These companies should be doing better, now it's known about, they need to implement something to stop it from happening, whether people are going to the website and running stuff or not.

(And yes there's options for blocking ads, but they're paying for what I'm using. If I don't like the number of ads I don't visit the site, cuz that's the deal as I see it... content for the ads)

Re:Yes, its annoying

[jesser]

But I fail to see how you can leverage this to gain privs.

1. Every 100ms, put some evil UNIX commands on the clipboard, surrounded by line breaks. I'm sure you can come up with a one-liner that compromises a user's system.

2. Hope someone will paste into a Terminal window while your evil page is open.

I paste into Terminal windows all the time. For example, I might copy an error message and then grep another file for the message. If there's an evil web page open while I do that, the paste will own me.

Re:Yes, its annoying

[Tubal-Cain]

Don't fix them. Their systems grind to a halt, they go buy new ones, and offload the six-month old boxen on you. You wipe them with a fresh *nix distro and sell it or incorporate it into your local cluster. Use the money from the machines you sell to upgrade your bandwidth. DDOS (along with other slashdotters) botnet servers. /satire

Re:Yes, its annoying

[ZorbaTHut]

Some P2P clients support a "pull links directly from clipboard" feature, where they watch the clipboard for any link with the format they use and automatically download what it's pointing to.

The danger in this - both the parsing, and the downloading - is obvious. I don't believe any clients run downloaded things by default, but it's still potentially quite nasty.

Re:Yes, its annoying

[rantingkitten]

I don't know. I'll often have a video going while I'm doing work, copying and pasting from various terminal windows and whatever else. Suppose that instead of a lame URL, this hijack put some shell command into my clipboard and I, suspecting nothing, accidently pasted it into the terminal? At the very least it could connect to a remote server owned by the attacker and give him information about my system (and from there, possible vulns), or it could do many far more insidious things.

I grant that such a hypothetical attack would only affect a very small portion of people, but then, so do many exploits.

But for a wider audience, I suppose even a web URL would work on many people -- it creates a URL in the clipboard which superficially resembles, say, myspace or facebook. Tons of people would then obligingly type in their credentials (people aren't that bright), or it could send information about the system to the attacker. The bogus URL could even try to download some executable or patch, and you just know there are plenty of people who would click "OK" to whatever it says because they don't know or don't care to learn not to do that.

Re:Yes, its annoying

no we can't protect 100%, but it's in all of our best interests to try, and close off any avenues of attack that we can.

Like, for example, not letting anyone without a solid comp sci degree focused on security use large networks (such as the internet)?

Re:Yes, its annoying

[the+entropy]

You shouldn't be grepping for error messages as a privileged user anyway. At worst this strategy can be destructive with an rm -rf ~ but that's about it.

Re:Yes, its annoying

[FooBarWidget]

The thing is, there are legitimate reasons why Flash, or any other web app, may access the clipboard. For example, web-based rich text editor. A user asked me why the 'copy' button wouldn't work, and I told him that it's because his browser doesn't allow it and that there's no way to get around this problem. It got him confused for a while. I almost considered writing the clipboard copying code in Flash just so I can access the clipboard.

Re:Yes, its annoying

[x2A]

"The thing is, there are legitimate reasons why Flash, or any other web app, may access the clipboard"

Yep, which is why I actually have the browser ask me if an attempt is made whether to allow it. But, flash adverts shouldn't mess with your clipboard, which is why I believe the banner companies should do the screening/filtering, not that flash should have the functionality removed.

Re:Yes, its annoying

[FooBarWidget]

"which is why I believe the banner companies should do the screening/filtering, not that flash should have the functionality removed."

Unfortunately banner companies don't seem to realize that people don't like obtrusive ads like this. For example, Flash ads with sound or ads that redirect the browser are *extremely* annoying and is likely to scare away visitors. But banner companies still provide them. I once asked a banner company to not show such ads on my site. It not only took them a long time to do so, they didn't understand the reason why I wouldn't want that kind of ads to show up.

Re:Yes, its annoying

[jesser]

Or it could infect your user account with malware, send copies of your files to bad guys, steal your credit card numbers, add you to a botnet...

Running as non-root only makes it easier to recover from an infection. It doesn't prevent any of the bad things that can happen to you as a result of being owned.

Re:Yes, its annoying

There are a lot of ways damage can be done without confirmation.
Necessary conditions:
-Pasted line already contains line-break
-Command is non-interactive ( flags like "-y" or "-f" are used for example )

Optional conditions (because you don't need to be root to do damage):
-You paste into a root terminal
-You used "sudo" recently.

Here's a nice example with non-permanent damage (forkbomb): :(){ :|:& };:

Very damaging example which does not require root permission or confirmation:
rm -rf ~

So yes, it's dangerous.
And probably moreso for GNU/Linux users than Window users.

Re:Yes, its annoying

Any sufficiently evil UNIX commands should fail unless you are root. You don't do your everyday work as root, do you?

Re:Yes, its annoying

[StikyPad]

If by "own," you mean grep returns 0 matches.

Re:Yes, its annoying

[Lord+Flipper]

If there's an evil web page open while I do that, the paste will own me.

That's why setting the Timestamp to Zero (in ENV) is so nifty. Your 'spy', which is really an opportunistic piggy-back rider on the window of time after a su or sudo (or giving an Installer 'admin' privileges, etc) misses the admin/root escalation time in your terminal by one clock and it's closed already. (zero sometimes really means zero). No simultaneous anything happening, all is sequential. So if the escalation has 'zero' lifetime, it's over for enemies that are just polling the OS with "Do we have admin access, or root?" with the environment set right, that question returns a zero, every time. I think this is, what, 35, or is it 40 year old Unix basic stuff?

OS X has a 5 minute window following privilege escalation, by default. That's about equal parts scary and stupid, I would think.

Re:Yes, its annoying

[the+entropy]

Well yes, but in the case described above said ownage would be immediately visible, ease of cleaning up would be the only thing that matters then. Of course it'd be annoying and possibly destructive.

Re:Yes, its annoying

[jesser]

It might not be that obvious. Maybe the ownage commands are followed by a bunch of noise, so they're scrolled off of the screen immediately. Or maybe the terminal window gets closed or appears to crash.

Re:Yes, its annoying

[jeffb+(2.718)]

If by "own," you mean grep returns 0 matches.

You missed the "surrounded by line breaks" part.

Feel free to copy something like these two lines:

echo "please wait..."
rm -rf ~

Then open a Terminal window, type "grep ", and paste. Grep may or may not return matches the first time you do this, but it definitely won't return any the next time.

Shockwave...

[azav]

I'll bet you can do it too in Shockwave with copyToClipboard. It is a little trickier though as copytoClipboard holds the reference to the Director member copied IIRC. Thinking about it, any web service that supports the clipboard should be able to do this.

How to fix this:

[MrMista_B]

http://adblockplus.org/en/

Problem solved!

Seriously, blocking ads and javascript and flash stuff is like a game for me now, I get a little thrill of victory every time I block one of those things, it's great.

Re:How to fix this:

[AceofSpades19]

You have problems....

Re:How to fix this:

[Darkness404]

A better way to fix it would be a good /etc/hosts file that blocks all adservers and malware. So even if it did direct you to an evil site, it would be blocked.

Re:How to fix this:

Don't forget flashblock either for firefox.

Re:How to fix this:

[thatskinnyguy]

AdBlock Plus + OpenDNS = I haven't seen an ad online in over 9 months. My life is better now.

Re:How to fix this:

[redcaboodle]

You have problems....

Surely - because with Adblock you block AFTER you have seen the Flash. So unless the Flash comes from an already blocked source (*.doubleclick.com?) it will already have done its evil magic.

Only if you block all Flash you did not specifically allow you are clear. NoScript should work, then.

And some of us have to develop in Flash (stupid designer - stupid clients) so NoScript is out of the question.

Re:How to fix this:

[maxume]

And if you get directed to a site run by a dude that they guy running the blacklist doesn't like, you get blocked.

You have to trust someone, somewhere, sometime, but blocking hundreds or thousands of sites because some guy on the internets said so is not a very attractive solution.

Re:How to fix this:

[AceofSpades19]

You have to develop flash?, I feel sorry for you

Re:How to fix this:

[FictionPimp]

You realize you can white list your own sites in NoScript. I'm a developer who uses NoScript on my browser. I have no problems.

Re:How to fix this:

[tlhIngan]

http://adblockplus.org/en/

Problem solved!

Seriously, blocking ads and javascript and flash stuff is like a game for me now, I get a little thrill of victory every time I block one of those things, it's great.

May I suggest a solution that's better, and doesn't leech?

Try NoScript - http://noscript.net/

It doesn't leech since static banner ads load up just fine, but NoScript blocks flash, java, and other plug-ins (PDF, etc) by default. It also disables javascript on a per-domain basis (plus detects and blocks XSS attacks).

And yet, if you want to see that YouTube video, just click the placeholder, and it'll ask if you really want to load whatever it is. For Javascript, click the icon and you can enable and disable the various scripts that may exist on a page (many across many domains). Nothing more fun than allowing javascript from the primary site, but disable javascript that loads ads and other junk.

Plus, having javascript off by default makes the web go much faster. It can always be re-enabled later on, leaving horrible CPU-wasting scripts from even running.

Me personally, I run a combination of FlashBlock + NoScript. This has a wierd effect as NoScript blocks the flash, click it, and then FlashBlock blocks it, then sometimes NoScript blocks it again. Sometimes a hassle, but saves me from inadvertent clicks.

The only XSS at times I find annoying is when purchasing from sites that use Paypal. But that's simply a click, then "Unsafe Reload" (reload the page with XSS), which fixes it.

It's amazing how many sites work great with NoScript, and how many sites are so poorly coded they need javascript to handle a hyperlink.

Re:How to fix this:

But is it as thrilling as punching the monkey? or zapping the monkey?

Re:How to fix this:

Blacklisting is pointless because tomorrow someone might create a new site your list doesn't know about and bam -- you get ads and other bad things until you add it to your list. And it goes on and on.

Whitelisting is the proper way to deal with this, which is why I love things like NoScript. Everything (Java/Flash/JS/etc, anyway) is disabled from every single site unless I say it's ok.

Re:How to fix this:

[the+entropy]

Actually, just tested this, but if you block the flash object after it's taken over your clipboard the clipboard is released. The string placed in there stays but you can copy/paste stuff normally afterwards.

Re:How to fix this:

Why would I want banner ads to load up?

Re:How to fix this:

[Ciarang]

Hmm. I don't know what this 'leech' business is, but the whole point of AdBlock is to stop annoying adverts from being displayed. (Note that as a side effect the site is saved some bandwidth and the advertiser is saved from being mentally modded -1 irritating, so everyone's a winner)

Your alternative solution that lets the ads be displayed doesn't cut it for me.

Re:How to fix this:

[apoc.famine]

I resisted NoScript for a long time, as it looked like a pain in the ass to use. Note to those in the same position:

NoScript is stupid-easy to use.

It tells you clearly what it's blocking, and you can unblock with two clicks - either permanently, or on a session-by-session basis. In my daily browsing, it is completely invisible on my regular sites, which are already fully white/black listed. When I go elsewhere, it discretely lets me know who is running shit on a page, and gives me nearly full control over it.

NoScript is very much worth your time. Give it a few days as you get the most common pages white/black listed, then see how you like it. It takes a bit of setup, but even then it's useful out of the box, and quickly fades into the background.

Re:How to fix this:

[theocrite]

Seriously, blocking ads and javascript and flash stuff is like a game for me now

Well, with all due respect, I think you do this the wrong way.

When you allow everything, you have no control and you can only block what you can see and you don't know what is being done.

I use noscript and then i ALLOW some scripts/pages/domains when revelant/needed (based on "do i need this ?", "do i trust the site owner ?", "am i in my chrooted env ?" etc.).
Common ads domains are blacklisted forever (no more xiti/bigbrothering, no more googleads scripts etc.)
This is how it should work.

deny from all
allow from ...

block out
block in
pass in on ...


iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A ... -j ACCEPT

retrict default ignore
restrict example.com ...
etc. etc.

Re:How to fix this:

[swb]

I second this, but I would only permanently whitelist sites you absolutely need to out of convenience or trust; everything else I temporarily whitelist on an as-needed basis, and I find that unless I'm shopping or something there are number of sites I don't need javscript to run for basic use. I figure with SQL injection attacks and other random maliciousness, even "trusted" web sites can be compromised and this keeps my exposure to a minimum.

The only feature I wish it had, though, was some kind of per-tab or per-site whitelist inheritance. Some sites, like Newegg, use Akamai for shopping cart processing. Allowing Newegg doesn't in turn allow URLs for Akamai, which I understand, but it means I have to wait until the checkout blows up, THEN temporarily allow Akamai to finish a purchase.

If there was some other way to "Temporarily allow all referred linked from foo.com" or "Allow all as long as address bar is foo.com" or something that would allow other sites' javascript to run, so long as I "stayed" on the page I was on.

Re:How to fix this:

Not quite. I have ABP installed on FF3 and unless you specifically tell it to block Flash, it will still copy to the Clipboard, on Windows:

      http://www.evil.com

Lame results with Linux

[keeboo]

Well I accessed the page under Linux and Firefox 2 and the following things happened:

The middle mouse button pastes as usual.
The hijacked content only appeared with CTRL-V.

All I need to do is to close the page tab and it's gone.

Disappointing.

Re:Lame results with Linux

[marxmarv]

I think that's an X11 anachronism you're dealing with there. No idea why it still exists in 2008.

Re:Lame results with Linux

This is because Linux, in its infinite wisdom, decided to have two clipboards - one for selecting text and middle-clicking, and one that works with Ctrl-C and Ctrl-V like all the other OS'es. Yay for confusing users with needless features. But of course there must be some technical users out there who take advantage of the two clipboards and would never allow removing one of them from the OS.

Re:Lame results with Linux

Another example of our schizophrenic clipboard is beneficial.

Honestly though, I never use CTRL-V in Linux.

Re:Lame results with Linux

Damn that Linux for having two separate paste buffers to make life easier!

Re:Lame results with Linux

[jesser]

FWIW, there's a Firefox bug that lets sites hijack your 'primary' clipboard (the one that middle mouse clicks paste). See bug 265868. So you're not safe just by avoiding Ctrl+V yet.

Re:Lame results with Linux

[amirulbahr]

Not a Linux thing, but a UNIX thing from way back. Any Unix user on a Unix-like O/S would instinctively middle-click to paste what she just highlighted.

I, for one, miss that feature whenever I use Windows.

Re:Lame results with Linux

[neonux]

Not a Linux thing, but a UNIX thing from way back. Any Unix user on a Unix-like O/S would instinctively middle-click to paste what she just highlighted.

You must be new here.

Re:Lame results with Linux

I see the same results as you. Now, try copying something else to your clipboard. Yes, it is disappointing: why should the Flash plugin be able to repeatedly interfere with the clipboard?

Re:Lame results with Linux

[martinw89]

Thanks for keeping things that way. Really.

Re:Lame results with Linux

[WK2]

The way I see it, having multiple clipboards, and multiple ways to write to and from the clipboard, are separate issues. I can see the reason behind multiple access points to the clipboard, but having multiple, unrelated clipboards is somewhat of an annoyance.

And there is another issue. Try opening an editor, or browser. Write some text, and copy that text to the clipboard. Now exit the editor. Your data in the clipboard is lost. This has tripped me up many times, and I would really like to fix it. It doesn't have to be that way, too. I can copy stuff with xclip, which exits immediately, but that info remains in the clipboard.

Re:Lame results with Linux

[spectecjr]

Install MS intellipoint.
Remap middle mouse button to Paste.
Enjoy.

Re:Lame results with Linux

Disappointing.

Use Opera. It has the paste hijack feature. No need to wait for someone to write an extension for Firefox.

Re:Lame results with Linux

[Henry+V+.009]

Yes, girls don't like Linux because of all the sexism. You keep telling yourself that. On the inside, they're just big nerdy guys with breasts.

Re:Lame results with Linux

[BitZtream]

Just for the sake of clarity, its an issue with X11 applications, not UNIX. Its also relatively new and due to people not being able to agree on how to handle clip board data for non-text types, resulting in two types of clipboards.

This wasn't a problem 10 years ago because you only really had support for pasting copy/pasting text and other applications for the most part didn't bother worrying about compatibility with anything else if they dealt with something other than a text format.

Now days, with UNIX vendors trying much harder to be more Windowsish, actually having a useful clipboard became slightly more important, but not important enough that the didn't fuck it up in a typical 'my method is better than yours' way.

They got the idea to be more user friendly, but due to egos, have a very hard to accomplishing the goal.

Re:Lame results with Linux

> big nerdy guys with breasts.

I saw enough of those at DefCon, thanks.

Re:Lame results with Linux

[spitzak]

The "selection" is what came first, actually. The "selection" is much better thought of as a drag & drop. Clicking the middle mouse button is the same as dragging and dropping the current selection, with the huge advantage that you can rearrange windows and launch programs between the start and end of the drag & drop. So in effect X had drag & drop initially, but no clipboard.

Unfortunatly for a long time X users had no idea what they had and kept thinking it was a clipboard. The ideas did not merge very well, primarily because selecting text in effect immediatly did a copy. The largest problem with this is that it is impossible to select text and replace it with the previous copy. It also screwed up users who did not expect selection to mess with the previous copy.

Finally around 1997 they added the second clipboard and the toolkits were fixed to use it correctly. Now what is needed is for them to realize that drag & drop and the selection are the same thing, and ideally all applications and toolkits fixed so the results are identical whether you do a drag & drop or you click the middle mouse button. This would be a good deal better than drag & drop on other systems and a good use of the middle mouse button.

Re:Lame results with Linux

[spitzak]

That's not the same. What is wanted is to copy the most recently selected object, whether or not Copy was done after the selection.

Re:Lame results with Linux

[spitzak]

I keep hearing that this is addressed but I never see it work, even on the newest Gnome systems and GTK or Qt programs.

Windows actually has the same bug, but it sends a WM_RENDERALLFORMATS message when the program is exiting and this is used as a signal that the program should write it's selected text to the global store.

Re:Lame results with Linux

[spitzak]

It has nothing to do with text verses other types of data.

The problem is that the original "selection" was replaced when the user selected text. IE selecting text was pretty much identical to selecting text and doing an immediate Copy on Windows.

There were a lot of confused attempts to modify the selection to be more like the clipboard, until finally around 1997 everybody realized that they were two different things. In fact the selection is really the drag & drop buffer. You would not expect drag & drop to modify the clipboard, therefore these should be two buffers. I guess Windows has the same thing though they call the selection the drag & drop.

Re:Lame results with Linux

[spitzak]

There may be a way to "hijack" the selection buffer (what the middle mouse pastes) as well as the clipboard. Perhaps display the evil text in a text widget, make sure it has focus, and set the selection on it. Maybe you can even fake mouse events to the widget if that is the only way to change the selection.

Re:Lame results with Linux

[qzulla]

No kidding. It worked as advertised.

From TFA:

(BEWARE: If you click on the demo link, your clipboard is automatically hijacked and will only be released if the browser window is closed).

qz

Re:Lame results with Linux

yeah same here with XP- the tab closes and the clipboard is back to normal- don't get the hubub or how it would trick anyone into doing anything

Re:Lame results with Linux

[spectecjr]

That seems rather strange, conflicting and broken behavior.

Firstly, this limits you to text fields, as other windows may or may not have any concept of "selected".

Secondly, selecting the text field to paste the text into will surely cause a problem here?

The way the behavior works is this:
Mouse click on window X -> Gives window X's top-level parent activation and then gives Window X focus.

Then, the middle-mouse button handler causes the paste operation.

However, the window getting focus also means that it now has a selection - even an empty one where the Caret is.

Maybe X windows has special case code for handling this in text fields... I can only see one way of doing this for Windows, and that's to handle the non-client Mouse-down button message, then scrape the contents of the window which currently has focus (by sending it a WM_COPY), then allow the non-client message to pass through, passing a WM_PASTE. But that'll overwrite your real clipboard, which is again busted behavior.

I guess the solution here is: deal with it. X-Windows is the only OS which supports this kind of behavior.

Re:Lame results with Linux

[spitzak]

It's the last text that was selected by the user, not the currently-hilighted text. So switching to the window to drop into does not change it.

Yes you cannot replace a selection with another (unless you select the destination first, but that is not very intuitive and certainly no easier than deleting it first, and as least on Linux it often does not replace it anyway). This is the primary problem with the selection and why a different clipboard mechanism with a copy action is needed.

The problem most people have with this is that it is NOT cut & paste. It is much better to think of it as drag & drop, with the advantage that you can rearrange windows and launch other programs between the "drag" and the "drop". In fact I think the best way to duplicate it on Windows is to somehow mess with the drag & drop. And on Linux they should merge these two as much as possible so that you can be sure that if you can drag & drop, you can also middle-click to get the same effect.

Certainly non-text windows have a concept of "selection". If you can drag & drop anything more complicated than a single object then it must have a selection, so that you can shift+click, ctrl+click, or marquee select the set to drag & drop. Just reuse this.

YAFH

Yet another flash hijack. Comments I've seen aren't calling out Adobe, but instead are talking about good thing for flash-block and no-script. Yes, those are great plugins, but come on Adobe, my system is only as strong as its weakest link, and more and more that's Flash, not the browser, not the OS. I wonder if Silverlight has this vulnerability.

Re:YAFH

[ozmanjusri]

Comments I've seen aren't calling out Adobe

That's an interesting point.

I've noticed a big increase in the amount of anti-Adobe sentiment in tech blogs recently, with Flash being targeted in particular.

I wonder if it has anything to do with Microsoft's pushing Silverlight?

Re:YAFH

anti adobe sentiment has existed for a long long time, and justifiably slow, They write some of the buggiest code out there and on top of that they have a very VERY poor security record.

Re:YAFH

I've noticed a big increase in the amount of anti-Adobe sentiment in tech blogs recently, with Flash being targeted in particular.

I wonder if it has anything to do with Microsoft's pushing Silverlight?

No, it has to do with the fact that flash is such a piece of crap. Adobe software is so annoying to deploy & maintain. Adobe doesn't follow the normal rules for installers & msi files for acrobat and Adobe CS, and there are many, many errors in the limited documentation that they provide. Even getting .msi installers for flash is a hassle.

Further, flash (and silverlight) are overwhelmingly used for web crap.

Re:YAFH

[marxmarv]

It could be astroturf, but that doesn't mean Flash doesn't suck butt. The thing that sucks most about Flash (from this end user's perspective) is that access control is very coarse: the only way to keep it from interacting with the page, performing HTTP requests on your behalf, sending to your soundcard, accessing your clipboard, etc. is not to run the Flash applet in the first place. Ergo, Flashblock/NoScript is essential equipment these days.

(Why, I'm looking right now at a NoScript placeholder below this very edit box. Sorry, DoubleClick.)

Re:YAFH

Adobe not just has a record in security. You also have to remember who Flash is designed for. Its not designed for the user who installs flash player.

Its designed for the developers who buy the Flash/CS tools to sling ads at the end user, as well as store permanent tracking data that the user is unable to erase, which can be sold to mass marketers.

The end user comes last.

Reading the clipboard is even more evil

[Pascarello]

Yeah, adding stuff to the clipboard is nothing new. You could do it without a prompt in browsers in the past with a couple lines of JavaScript. TinyUrl does it with IE. I was always worried about a script that could read what is on the clipboard and send it to some host server. Target your competitor and see if you can get sensitive data!

Not affected it seems ...

[YeeHaW_Jelte]

... on this old system with SuSE 9.1, FF 2.0.014, flash 7.

Hoorah for lazy upgrading ;)

Re:Not affected it seems ...

[eclectro]

Hoorah for lazy upgrading ;)

Not so much for missing out on half the web.

Re:Not affected it seems ...

Congratulations, you're vulnerable to all the holes fixed between Firefox 2.0.0.14 and Firefox 2.0.0.16 and many of the holes fixed between Flash 7 and Flash 9 instead.

Re:Not affected it seems ...

I still use Slackware 2.0 and browse with vi, you insensitive clod!

What about Opera?

[Lando242]

Does the same problem appear in Opera? Seeing as how Opera has a built in ad-blocker thats quite effective (and also blocks flash) once configured I'd bet its less of an issue. What if you do click the add though? Is Opera's much touted security up to the task?

Re:What about Opera?

[hellwig]

Tried with Opera 9.51 on gOs/Ubuntu 7.10 and it did copy the url to my clipboard which I was unable to replace (with ctrl+c) until I closed the tab. After closure, I regained control of my clipboard.

I tried using a user javascript file that would block all flash content and allow me to individually activate the various flash files, but I had problems with things like YouTube, and eventually I abandoned it when certain websites I frequented used Flash for the most obsurd reasons (don't remember which, this was over a year ago). Might be worthwhile to bring it back.

Re:What about Opera?

... Or you could just use NoScript...

Re:What about Opera?

I browse with Flash, Java, Image animation and sound in web page all disabled in Opera. I frequently ignore (i.e. leave) a website that "demands" that I use flash unless I have to. The rare viruses that get thru are caught by Nod32. I use Firefox when I know that the website developer is too stupid to make it work for Opera. Flash is always annoying; even with Flash Block and NoScript in Firefox.

Re:What about Opera?

[thinkahead]

Opera actually has this nifty feature called "site preferences" which allow per-site customization of everything. I have flash (and java) turned off globally, and only turn it on on a case-by-case basis when a site (like youtube) really needs it.

Right-click into a page, Edit site perferences... turn on flash in "content".

Opera's "Block Content" feature does the converse - you click on stuff that you *don't* want to appear on certain sites.

Also, Camino (which is a Mac-conformant UI around Firefox's rendering engine) has a feature where flash plugins only play after you click on them.

Problem solved, pretty much!

Confirmed in Opera 9.25

[Rockoon]

I realize its probably not the latest version of Opera...

As I am fond of saying

[smittyoneeach]

I get a little thrill of victory every time I block one of those things, it's great.

Who is pleased easily is pleased often.

evil

[duckInferno]

Just further proof that Adobe Flash is evil.

Re:evil

[mr_mischief]

You fail Hanlon's razor. This is clearly incompetence.

Opposite experience

[Anpheus]

I enabled the object in Firefox 3.0.1 with NoScript 1.7.8, Flash version is 9.0r124, and yes, it did set my clipboard.

Re:Opposite experience

[Derek+Pomery]

NoScript 1.7.8
Shockwave Flash 10.0.0 d569
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1
Ubuntu

Did you whitelist the domain for javascript as well, or just click on the flash?
Wonder if it was using 10.0.0 or if I was just lucky.

Re:Opposite experience

[Derek+Pomery]

Apologies - indeed whitelisting the flash was all that was needed.
I had used the X paste buffer (middle click) first time around.
Retested.
Worked.

Re:Opposite experience

[jacquesm]

these guys are going to get a lot of heat :) :

Registrant:
Evil Empire Endeavors
      ATTN: EVIL.COM
      c/o Network Solutions
      P.O. Box 447
      Herndon, VA. 20172-0447

Re:Opposite experience

[eat+here_get+gas]

I too am using Firefox3 with NoScript..do I need to do anything other than permit/deny scripts via the icon on the lower left, or am i susceptible to this exploit (WinXP x64, Flash disabled, btw)....

Re:Opposite experience

[infonography]

That domain now points to Whitehouse.gov

Re:Opposite experience

[camg188]

With Win2K Pro, FF2, and NoScript - I opened the test link in a new tab (the way I usually surf) and clicked the embedded flash so NoScript would allow it. As described, the clipboard was hijacked for all tabs and other apps that I checked. After I closed the tab containing the malicious Flash, the clipboard functioned normally without restarting FireFox.

Re:Opposite experience

[X0563511]

Unless you randomly paste links that you can't remember copying, visiting them, and then deciding to install the advertised antivirus software... I would consider this attack vector to be pretty benign. Darwin for the internet, if you will.

digg.com

[timmarhy]

i can't think of a website that deserves a hack more than those smug assholes....

Re:digg.com

when did slashdot change its domain?

Re:digg.com

[Ash-Fox]

Exterminieren! Exterminieren! Halt! Sonnst werden wir Sie exterminieren! Sie sind jetzt ein Gefangener der Slashdotterz!

Barely works in ubuntu

I'm running Ubuntu 8.10 and Firefox 3.0, and while the attack does paste text onto the clipboard, all I need to do to copy new text over it is close the offending tab. Based on comments I read from mac and windows users it seems like linux is the least affected by this 'attack'

iPhone

Now we know why the iPhone has no copy/paste support. It's a security issue!

Whew.

[rascher]

Its about time they start making software that runs on Linux too.

Remember those old dress shirts...

[zogger]

...where the collar was a different color from the rest of the shirt?

That's Flash.

Just say no.

No need for flash adverts

[TavisJohn]

Personally I see no need for flash adverts. Adverts should never use flash or any scripts for this very reason.

Re:Clicked on the flash area in NoScript in the de

[unlametheweak]

These days you have to go out of your way to avoid flash by learning about and installing less popular Web browsers like Firefox and installing extensions (Add-ons) like NoScript that you have to educate yourself about. These days even browsers like Firefox come pre-installed with crapware and bloatware like Microsoft DRM and Shockwave Flash. These things I have manually disabled.

I often hear people on Slashdot claiming that Flash is safe, but I also constantly hear about flash-based exploits as well. To most Slashdot users I would think Flash would be relatively safe, however most people are not Slashdot users.

The Internet is becoming less accessible to me as the years go by. There is no need for Flash or Java or JavaScript (to navigate to a URL for example). I can only perceive malicious reasons why Web developers would try to force people to use these technologies.

When a Web site says Flash, JavaScript, Silverlight, Internet Explorer or anything else is required then that Website is never again visited. One must separate the wheat from the chaff.

But so what?

[flyingfsck]

Most computer users don't even know that Windoze has a clipboard, let alone know how to press Ctrl-V to do something with it, nevermind getting some program to actually follow the link.

It looks like a big ball of nothing to me.

Use the iPhone

Two reasons why the iPhone is the safest from this type of attack:

1. No Flash
2. No Clipboard

Re:Use the iPhone

[MikeUW]

3: It's a phone

(sorry, I have karma to burn I guess)

Just a loop

[Twillerror]

Okay so the flash ad just copies something to the clipboard in a loop. Closing the tab or browser stops this. I suppose if you are running your browser in the background this would be very annoying and you wouldn't know.

Today firefox and IE prompt if you want to use the clipboard from javascript, but it used to not be this way. I'm sure Adobe will patch this soon enough.

This is like old popups...and oversight that is being exploited by the annoying "internet bully". It's like getting a wet willing or you head stuffed in a toilet.

The issue is here that both Flash and the underlying operating system don't have any kind of cut and paste protection. X, Mac OS X, and XP/Vista should not allow a program to copy and paste the same dam string to the clipboard over and over. Really kind of annoying that we have to spend so many human hours fixing "problems" like this...but such is life I suppose.

Re:Just a loop

Yer right, the OS should check for a program that posts to the clipboard in a loop. No modern day OS's are bloated, and I'd welcome the use of additional clock ticks to check for such a common occurance as a program repeatedly posting to the clipboard. Adobe really has nothing to do with this problem at all! Damn those curs-ed OS programmers!

Re:Just a loop

[Have+Blue]

So they'll just change the exploit to copy a URL that differs only in arguments each time. The OS clipboard is the wrong place to solve this- a better solution would be to simply deny Javascript and Flash movies access to the cross-application clipboard at the browser level (at least, I can't think of a good reason to allow it that couldn't be replaced with presenting the content to be copied to the user in a standard text field).

Re:Just a loop

X, Mac OS X, and XP/Vista should not allow a program to copy and paste the same dam string to the clipboard over and over.

Why the hell not? It is my computer and if that's the behavior I want, so be it. The problem here is more fundamental and less technical. Running arbitrary code from anywhere on the net is just f-ing stupid. Even in IE4 I only allowed java on hand-picked sites. Now, with Fedora, flashblock, noscript, and a non-admin user account, my PC is even more safe. Not only does that safety come without inconvenience it actively blocks inconvenience (ads). Did you know the last "e-commerce" purchase I made by picking up the phone and getting a $50 discount on shipping? Woot.

Re:Just a loop

[stewbacca]

Today firefox and IE prompt if you want to use the clipboard from javascript, but it used to not be this way. I'm sure Adobe will patch this soon enough.

God, I hope not. The last thing I want is an annoying nagging pop-up that is trying to protect me from myself due to a knee-jerk reaction. IF this exploit affected something more than say, err, 1% of the general population, I'd still not want it. Maybe if it happened once a day I'd want it, but since I'll probably NEVER see this exploit (other than clicking on it in TFA) it's not worth my time to click a yes/no/cancel button.

A Legit Use

http://is.gd is a site like TinyURL (but shorter), it uses this paste ability to after you have "hashed" the address.

Yes, but

does it run in lennix?

PithHelmet on OS X solves the problem

[themadplasterer]

Install PithHelmet> in Safari and block flash and the problem is solved.

Re:PithHelmet on OS X solves the problem

[Yvan256]

Or just disable plug-ins altogether.

Enemy #2

[Charles+Dodgeson]

Flash is really enemy #1 in terms of security

I would put JavaScript as #1.

Flashblock doesn't work here

I am visiting the test site using Firefox with Flashblock on Ubuntu 8.04. I press Ctrl+V, and there it is, http://www.evil.com.

This only happens sporadically, though, and I can always just Ctrl+C something else. I believe this is because Flashblock blocks ads as they are loaded, not before they load (not 100% sure about this).

Does anybody else have this issue?

Re:Flashblock doesn't work here

[spisska]

I'm seeing the same thing. FF 3.0.1, Flashblock 1.5.6, Ubuntu 8.04.

It doesn't work consistently, or even according to any pattern that I can see. Just following the link seems to be enough -- there doesn't appear to be any effect whether or not one even looks at the tab.

The flash itself remains blocked but evil.com pops up in the clipboard around 10-20 percent of the time.

Re:Flashblock doesn't work here

[RiotingPacifist]

It only seams to affect Cut/paste is this just the implementation or is the select/paste immune to the attack?

It only has any effect on me if i click to load the flash before then it has no effect (ubuntu 8.04 64bit)

nothing for me either

[Kid+Zero]

FireFox, Adblock, NoScript, all latest versions, and the flipping thing didn't work. I'm not concerned.

Question for you flash blockers

[Layth]

With all of these flash security and OS incompatibility issues surfacing on /. it makes me wonder.

Do you guys explicitly avoid all sites with functionality contingent on the flash player, or are there appeasements that I could make?

Adobe has definitely screwed up in some places, but it's not all bad. Flex provides a very nice web application interface for coding that I've been learning in my spare time, and silverlight isn't quite as far along.

Hopefully I'm not going in the wrong direction here w/ adobe.
Mod me off topic if you must, I've been putting tons of time into flex and I have karma to burn =/

Re:Question for you flash blockers

[MrMista_B]

Personally, I don't avoid sites with flash content - I just block the flash. If, after blocking all the flash and javascript on the site, the site doesn't work, I consider that the fault of the person who made the side, I complain to the site owner, and then leave, usually for good.

It depends what you're using the flash for though, really - just ads? Fuck 'em, I make a game out of blocking all ads permantly with flashblock. Is it a flash game? I might give it a try once or twice, there's a couple flash games I like. A flash cartoon? Only good one I know is Strong Bad. Youtube? I'll just go to youtube, thanks.

If it's anything else, if you can do it with text and images instead of flash, you're probably just wasting your time.

Sorry.

Re:Question for you flash blockers

[Koiu+Lpoi]

Me? I start with the attitude of "this flash movie doesn't need to be played", with noscript in full power, and if the site NEEDS it, I might let it run. This way, legitimate content can be run, and things like ads get blocked. Of course, this requires me to use my own judgement, but frankly, flash STILL has performance problems, so the less it runs the better for me.

Re:Clicked on the flash area in NoScript in the de

Now I'm pissed why on earth are flash applications allowed to even go near our clipboards without explicit permission?

I remember a decade ago there were javascript functions to manipulate the clipboard but at least browser vendors have the common sense to disallow such actions without at least explict permissions.

Apparently security and privacy are second class citizen to Adobe. I'm very concerned.. this whole issue was addressed years ago..WTF?!?

FlashBlock rules

FlashBlock rules

Re:Clicked on the flash area in NoScript in the de

[falconwolf]

The Internet is becoming less accessible to me as the years go by.

It's less accessible to a lot of people.

There is no need for Flash or Java or JavaScript (to navigate to a URL for example).

When I used Windows I used the ZoneAlarm firewall which allows users to set what websites can use java, objects, and scripts and which can't. However a year ago I switched to OS X and a version isn't made for Macs. I heard NoScript does the same but I haven't tried it yet, and I need to have javascript turned on. My ISP provides webmail as well as filtering. If a message's sender isn't in you online address book, it transferred to a "suspicious" folder which is only accessible online. However webmail requires javascript.

When a Web site says Flash, JavaScript, Silverlight, Internet Explorer or anything else is required then that Website is never again visited.

Even though I have the latest Shockwave and Flash installed I keep having websites say I need to download one or the other to use the site.

Falcon

Re:Clicked on the flash area in NoScript in the de

[unlametheweak]

I only have local links on my NoScript whitelist. If I do decide to use JavaScript (it helps when reading the FireHose on Slash for example), I will temporarily enable it. It should be emphasized that I'm talking about consumer choice here; these technologies may and sometimes even do offer added value to the Web experience.

Linux, IE, and Safari

[falconwolf]

Also, I doubt the massive population of Linux users running IE and Safari are going to be affected.

TFA, I know this is /. and people don't but you can learn a lot if you read the articles, says it targets "Mac, Windows and Linux users running Firefox, IE and Safari"

Falcon

Thanks!

[Kludge]

I could not figure out how to get it to work.

Re:Clicked on the flash area in NoScript in the de

[hasbeard]

I think there is some kind of Flash malware distribution scheme going on that tells you that you need to update your Flash player even though you have the latest version. Here's a link to an article on it: http://blogs.adobe.com/psirt/2008/08/verifying_installers.html I don't know that this is what's happening with you though.

Secure Linux Clipboards

[Doc+Ruby]

So now it seems that Linux's nonintegrated multiple clipboards and their UIs (Ctrl-c, and select/middle-click) are a security feature, not a bug.

Re:Clicked on the flash area in NoScript in the de

[TLLOTS]

I use NoScript and Flashblock and find it works well. With both you can easily enable javascript if needed (for the likes of digg, etc.) while still stopping horrible flash advertisements showing up.

Re:Clicked on the flash area in NoScript in the de

[Hurricane78]

> When a Web site says Flash, JavaScript, Silverlight, Internet Explorer or anything else is required then that Website is never again visited. One must separate the wheat from the chaff.

This maybe is true, except if you want to do a real web application. Loading a whole HTML-page, just to change some state of an (non-form-element) interface element... That's insanity.
You've done the same that someone in a trauma does. You're created false associations. It's not the technology or even the virtual machine that's bad. It's the implementation.
Your argument is the same, as if someone who had only bad experiences with x86, while having good ones with his old 86000s, argues that "if an application requires x86, then that application is never again used."
The same is true for OSes. Someone could implement Windows XP in a proper manner, and make it a very safe system. (I did not say that someone would want, tough ;)

Or in short:
Someone can crack a bad JavaScript VM and contaminate the rest of the system. And someone could crack a bad OS, and contaminate the rest of the system. There are even examples for this on virtualization VMs. (Heck, the system's clipboard is accessible to all 3 of them, on modern VMs!)

So my vote goes for Replacing the JavaScript VM with a hardened generic VM, with a fixed interface to the outside world, and adding JavaScript, Python, Ruby, Haskel, Ocaml and more as languages to it (via add-ons, or pre-compiled?)

Okay, I think one should remove at least one layer of abstraction/VM and harden the OS so that even OpenGL on JavaScript would not have a performance loss. (Yes, this would be useful. Eg. for quick dynamic data visualization or entertainment applications.)

Flash

[falconwolf]

Now the course I took wasn't a web-development course(at least not directly it was about the over-all design and not the tools used) and didn't have time to teach nor the prerequisite of knowing html so flash was the most expedient option.

Flash is easier to learn than html? I admit I've never learned Flash but html is easy.

Falcon

Re:Flash

[cheater512]

Its more of a thing that n00bs use, rather than competent people.

Re:Flash

[falconwolf]

Its more of a thing that n00bs use, rather than competent people.

I'd think you'd have to be more competent to use Flash than to use html. Now using something like Dreamweaver doesn't take as much skill.

Falcon

Re:Flash

[Gerzel]

Not easier necessarily but for what the course was teaching neither flash nor html was a prerequisite and flash was the more expedient of the available options.

Here's an idea for Adobe

[TheVelvetFlamebait]

Instead of this "edit clipboard" command (or whatever it is), just include a "get admin privileges" command. It doesn't actually do anything, just creates a message box informing the user that the banner is trying to get admin privileges. Evil banners wouldn't be able to resist it, and there would be absolutely no way of annoying people.

And my wife said it was porn!

[wmbetts]

I got hit with this last night and it was a bitch trying to figure out what it was. I literally spent hours trying to find what had hijacked my computer. I finally said screw it and reinstalled Linux, because the only game I play regularly can be loaded in Wine.

Re:Clicked on the flash area in NoScript in the de

[unlametheweak]

NoScript sounds like something that you need. I used to have ZoneAlarm as well. IMHO it is much better at configuring things like JavaScript access, etc. It has a very intuitive interface and is easily customizable.

JavaScript, for example, can be turned on temporarily by a click of a button in the status bar when you logon to Webmail. You can also have white lists of sites. It protects against Flash and even XSS and other nuisances. The developers are constantly updating the program based on newly found vulnerabilities, etc.

It is highly recommended.

Excellent, thanks

[Layth]

The flash is used for dynamic graphical assembly of user objects and provides an interactive interface with those objects.
The rest of the site will be devoid of flash; it sounds like this decoupling is the way to go, along with making the user explicitly aware that they've been directed to a flash only section of the site.

Thanks for the response.

Reading is hard

[narcberry]

Anyone else struggle with 4 verbs in the title?

Re:Clicked on the flash area in NoScript in the de

[falconwolf]

I think there is some kind of Flash malware distribution scheme going on that tells you that you need to update your Flash player even though you have the latest version. Here's a link to an article on it:
http://blogs.adobe.com/psirt/2008/08/verifying_installers.html I don't know that this is what's happening with you though.

I don't think that that's happening either, the Adobe page says it's on social networking sites but the only ones I use or visit are Photo.net, /., and Yahoo! I rarely visit Facebook, MySpace, YouTube, or others.

Falcon

Re:Clicked on the flash area in NoScript in the de

[falconwolf]

I use NoScript and Flashblock and find it works well. With both you can easily enable javascript if needed (for the likes of digg, etc.) while still stopping horrible flash advertisements showing up.

Does Flashblock allow you to set what websites use Flash and which ones are blocked from using it? I don't mind Flash. What I don't like is when a site or page requires Flash, such as when the entire site is Flash, or when it makes it bandwidth hungry but isn't really needed.

Falcon

Wait a minute here...

[grahamd0]

Did that summary just combine "Digg" and "legitimate" in the same sentence?

There's got to be some rule of English grammar that prohibits that.

NoScript sounds like something that you need.

[falconwolf]

I used to have ZoneAlarm as well. IMHO it is much better at configuring things like JavaScript access, etc. It has a very intuitive interface and is easily customizable.

Yea, I loved how ZoneAlarm was configurable. I had it set by default to block all Java, objects, and scripts then when I came across a website I wanted to allow them I could quickly configure it. If I wanted to, and I did a number of tymes, I could temporarily let a website use them. How well do NoScript and Flashblock work though in Firefox 2.0.0.6? That's what I'm using. I could upgrade to Firefox 3 but I wonder if I can still use my current version.

Falcon

Re:NoScript sounds like something that you need.

[unlametheweak]

BTW, when I said It has a very intuitive interface and is easily customizable. I was really talking about NoScript. I should have worded that better. Yes I remember Zone alarm being fairly straightforward as well with these things.

Also, NoScript blocks Flash as well. I've never tried FlashBlock, but I think it would probably be redundant if you use NoScript.

According to the NoScript Web Site: "Supported browsers: Firefox 1.5.0.6 and above, SeaMonkey 1.0.5 and above, Flock, IceWeasel, Minefield...". I was using FF 2 until a few weeks ago and it worked fine. It works just as good now that I'm using FF 3. At any rate it's easy enough to uninstall or disable if you don't like it or there are any problems.

The main link:
http://noscript.net/

The program link:
http://noscript.net/getit

Re:NoScript sounds like something that you need.

[xeoron]

Noscript and Flashblock both work fine in Firefox 3.X. Most major plugins have been ported to version 3 or have comparative replacements. The added benefit to upgrading from 2.X is that it is so much faster loading and managing pages, which includes faster javascript code (for when someone wants to allow it), and has better memory management.

Same result with Solaris

[calidoscope]

I tried the 'evil' link and didn't see anything amiss. Middle mouse button worked fine and had to use CTRL-V to see the result.

It's about time ...

[gzipped_tar]

... for someone to write a Lisp script that hijack the clipboard from EMACS.

Re:Clicked on the flash area in NoScript in the de

[Daengbo]

I just use SWFDec. It avoids the Flash problem by failing to play about 50% of the stuff out there.

The demo hijack page doesn't work, either. Surprise!

Just kidding. I like SWFDec much better than Flash + nspluginwrapper on my 64-bit Lenny.

Re:Clicked on the flash area in NoScript in the de

[cheater512]

I dont hate flash because its insecure.
I hate it because its abused and bloody slow.
Its like Java in the 90s but worse.

If i hit a site which uses a lot of flash, they dont get a second hit from me.

Same Ol' Same Ol'

[MightyMartian]

Once again we see the serious consequences of allowing a single company to serve a proprietary solution which opens up browsers and the platforms they run on to serious security flaws. This is ActiveX Part Deux, or perhaps Son of ActiveX.

To some extent I blame the guys writing the browsers. They're the ones letting plugins and extensions to have this much control over clipboards. The solution here is obvious, though Adobe may not like it, but at this point I think Adobe's concerns shouldn't even enter the equation.

Re:Same Ol' Same Ol'

[BitZtream]

I'll bite ...

Do you actually understand how applications work? In many cases its far more useful to give access to more functionality then deal with security issues as they come up, than it is to write things in such a way that only the completely secure and extremely controlable functionality is exposed, in which, you'd STILL end up with unforseen bugs.

So ... do you want the ability to run Firefox with Greasemonkey and noscript and flash as an option, or would you rather that you can just few text on a web page because they haven't been able to secure the image loading process against all possible exploits, both those currently known and ones which may be invented in the future?

The >ONLY difference between a Firefox Plugin and an IE ActiveX is the way IE does auto-installs of the ActiveX. And really, the only difference there is that Firefox requires you to click a link on the page and wait for a button to enable itself after a time delay. Firefox extensions are otherwise more dangerous than ActiveX controls. Having written both ActiveX controls for IE, and Firefox and Thunderbird extensions I can say that its FAR easier to write Firefox plugins than it is to make a useful ActiveX.

Re:Same Ol' Same Ol'

[MightyMartian]

Give me a fucking break. The real issue here is that developers have been pushing an application to become an application platform, but have never really taken seriously the fact that as a platform, it needs to be locked down. Yes, there are always going to be security holes, but come on, if browser developers want to be operating system developers, then they should be putting in the same fine-grained control that modern operating systems provide. Noscript and related settings on other browsers are a ridiculous yet necessary hack because everyone still likes to pretend like "it's just a browser".

No Flash...

No Flash player or plug-in, no problem. End of story, nothing to see here. Move along.

Go tell Adobe

[elronxenu]

It's just another reason for Adobe to open-source the Flash client, or alternately for browsers to not support proprietary Flash.

With open source available, authors could work around the problem by removing the ability of flash scripts to write to the clipboard, or by limiting the number of times each script can write to the clipboard. If it's some desirable feature, then a capability checkbox can be added, on a per-script basis.

Re:Go tell Adobe

[MightyMartian]

After a decade of horrors visited upon the world by Internet Explorer, you'd think everyone would view such a large proportion of content being delivered via a proprietary format and software (one, mind you, that renders via software and doesn't even have a functioning 64 bit version) as so incredibly dangerous and foolish as to dismiss it.

If just as much effort were put into a better streamlined and functional Javascript/ECMAscript interpreter based on open specs as is being put into reverse engineering Flash and now trying to figure out ways to secure it, we wouldn't even need the goddamn thing to begin with. There are better scripting engines than flash, there are better video formats than Flash, so why the fuck is so much attention paid to something that's so inherently flawed?

Re:Go tell Adobe

[John+Hasler]

> With open source available, authors could work around the problem by removing the
> ability of flash scripts to write to the clipboard...

That would not be a workaround. That would be the addition of a feature. Nothing a script does should persist.

Remind me again... Why has Flash clipboard access?

Seriously, why has a Flash movie access to the clipboard by default? It doesn't make any sense at all. But then again, the whole idea of Flash doesn't make any sense. Anyway, I've configured my IE to not load Flash objects at all, so this won't affect me, but I still like to bitch about it.

.doubleclick.com

[falconwolf]

Why block Flash from .doubleclick.com when you can block .doubleclick.com itself?

Falcon

Hosts files

[falconwolf]

A better way to fix it would be a good /etc/hosts file that blocks all adservers and malware.

I find it it amusing /.ers don't know about hosts files. I've used one for years.

Falcon

Re:Clicked on the flash area in NoScript in the de

[negRo_slim]

I often hear people on Slashdot claiming that Flash is safe

Well sir you must view /. at a much lower threshold then I do!

Hosts files

[falconwolf]

AdBlock Plus + OpenDNS = I haven't seen an ad online in over 9 months.

Hosts file = I haven't seen ads I didn't want to see in years. And I didn't have to install anything.

Falcon

Firefox pseudo-solution?

[m6ack]

AdBlock Plus + NoScript -- need I say more?

just a friendly reminder to our friends at Adobe

[postmortem]

There's no flash for 64-bit platforms. They can't seem to be able to hack a 64-bit release, the code must be very ugly.

Held responsible

Advertising agencies really dropped the ball on this.
Someone needs to be let go & agencies need to be compensating anyone effected.

There's no excuse for this to have happened, the agency should have been accepting FLA files, only putting into production ones found to be harmless, and producing the SWF themselves. If this is already the process they use, whoever is in charge needs to be let go because they've obviously not been doing their job.

Anyone qualified to lead or be part of a team managing advertisements which include Flash type media, should have been aware this was possible.

I know how Flash works, I know how marketing works, there is no valid excuse for this to have happened whatsoever.

Not new & not really a vulnerability.

Flash has access to your clipboard, but this is by design. It is no different to the javascript "execCommand('copy');", although this is Internet Explorer only.

The real issue here is the mac users saying that flash still has access to their clipboard after the window is closed. That is a clear security violation, but there are lot worse things you can do than mess with the clipboard if that is indeed the case.

I'm going to unconfirm

[Safiire+Arrowny]

It worked and copied evil.com into my clipboard, but I cannot confirm that it was impossible to get rid of or copy anything else. The first thing I copied got rid of it.

OSX 10.5.4 here also.

Gnash

Has anyone tried this running gnash?

Nogo with swfdec-mozilla 0.7.4

[xiando]

I refuse to accept the Adobe Flashplayer license and therefore use Swfdec v0.7.4 (which is better than the only free alternative, GNU Gnash). The demo did (like too much other advanced flash content) not work as expected. Not that this is any reason to accept the Adobe license, YouTube and Dailymotion videos show and I do not really need the clipboard hijack "features".

Re:Clicked on the flash area in NoScript in the de

[jacquesm]

Worked here as well. One more point against flash, what on *earth* were they thinking when they put that 'feature' in there ?

Re:Clicked on the flash area in NoScript in the de

[jacquesm]

makes you wonder what else is lurking in there ...

No, you can't rely on FlashBlock

[Giorgio+Maone]

You should not depend on FlashBlock for security, because it can be easily circumvented. And, as reported in other comments, FlashBlock does not even work reliably against this very PoC.

Re:Clicked on the flash area in NoScript in the de

[SleepyHappyDoc]

So my vote goes for Replacing the JavaScript VM with a hardened generic VM, with a fixed interface to the outside world, and adding JavaScript, Python, Ruby, Haskel, Ocaml and more as languages to it (via add-ons, or pre-compiled?)

That's an interesting idea. I was thinking about setting up something similar...a VM with a browser all set up with whatever plugins I needed inside the VM. It would reset itself to the base config I had left whenever I closed it (grabbing bookmarks and such from something like Weave or Google Browser Sync on each fresh startup).

Flashblock or NoScript

http://flashblock.mozdev.org/
http://noscript.net/

Easily overcome in KDE

[arizonagroovejet]

I have seen inconsistent statements that the clipboard contents can only be overwritten after either the browser window can be closed or after the machine is restarted. If you are using KDE you can simply use 'Clear Clipboard History' in Klipper to get rid of the problem url.

The X selection clipboard still works in Linux

[sd.fhasldff]

Select something, press middle mouse button (default). This isn't hijacked, although the ctrl-c, ctrl-v clipboard is.

I wonder what happens if you're using a clipboard manager. I seem to recall running something once under KDE, but now that I run GNOME, I've been weened off my need to customize anything (cough)...

Re:Clicked on the flash area in NoScript in the de

[bogado]

Yes flash block do have a list of allowed site, and it alone can stop the attack.

Re:Clicked on the flash area in NoScript in the de

[bogado]

Except that the concept on windows is and have been broken, the system requires the user have administration power on their machines. I know that MS have been trying to fix this, and may have already done so in vista (I have never use it), but my point is that concepts may be broken, so that no matter what implementation it will not work correctly.

But Why Paste ?

[DaveDerrick]

Everyone is trying to find ways of stopping it copying to the clipboard. But why would you visit a URL that was pasted from the clipboard ? Most users dumb enough to fall for this type of attack dont even know the system clipboard exists ! (Dont laugh, I frequently have to explain to the wife what Ctrl-C, Ctrl-X & Ctrl-V actually does, I guess I'll stop now). If your savvy, you would realise the attack had taken place & just not use the URL.

Re:But Why Paste ?

[zrq]

In the comment before yours, someone mentioned that they used swfdec rather than the Adobe Flash player.
First thing I did was to copy 'swfdec' from the page and paste it into the Google search box.

Because this discussion is about malware and exploits, the 2nd thing I did was check what was pasted. ... but if I was concentrating on something else at the time I would probably not have checked.

I used to use Windows desktop a long time ago but I have been using Linux on all my machines for several years now, and have got out of the habit of worrying about malware and browser exploits.
Sigh. Guess the party is over, and I need to start being paranoid about malware and browser exploits again.

Re:But Why Paste ?

[DaveDerrick]

I understand that, but you were pasting into the Google Search box (as I often do), not the browser URL box. All you would have got back was a Google search results page, not navigated to the malware site. How often does anyone paste from their clipboard into the URL navigation box ? Enough times to worry about this problem ? I think not.

Re:Clicked on the flash area in NoScript in the de

[Phydaux]

I can only perceive malicious reasons why Web developers would try to force people to use these technologies.

Never assume malice when stupidity will suffice.

Re:Clicked on the flash area in NoScript in the de

[Serious+Callers+Only]

Well, there's also video cam support - it is supposed to ask your permission first, but perhaps there are unexplored features/vulnerabilities in it too :

http://www.macromedia.com/support/documentation/en/flashplayer/help/help04.html#117089

If I was a hacker^^^^^^security researcher, I'd be looking there first.

One of the reasons why I surf with Flash off.

Myth busted on 10.4.11 w/Safari, Firefox3

[martinX]

I tried it under 10.4.11 using Safari 3.1.2 and Firefox 3.0.1 and Flash whatever-the-latest-beta-is (I downloaded it to try and get a Vimeo video to stop stuttering - no go :-( ).

While the demo tab is open, it takes over the clipboard. Close the tab and its control over the clipboard is released. Both browsers were OK. No quitting browsers, no restarting my Mac. Maybe 10.5 is different, or maybe you have a different version of Flash. Sort of vindicates Steve's lack of a clipboard on the iPhone though...

AV vendors, opportunity

[Ilgaz]

If some AV vendor ships some heuristic signature to detect this kind of attack and prevent it, I will defend that software and vendor in all occasions.

Especially OS X antivirus vendors. Come on, signature update? You are selling software more expensive than Windows ones telling people to be "future ready".

Lets see now...

Noticed this ages ago, led to MSpaint DEP notices

A while ago, I noticed that occasionally opening mspaint would result in some Data Execution Prevention warning. I know that mspaint, when opened with image data copied to the clipboard, would resize the canvas to the dimensions of the image data. I'm betting that there's a clipboard buffer overflow or something in mspaint and malicious flash has been exploiting this. This was a number of months ago.

Re:Clicked on the flash area in NoScript in the de

[stewbacca]

As with everything in life, you have to find the happy medium. Flash has legitimate purposes (repid e-learning development and delivery, for example) that far outweigh the risks of clicking on a rogue advert. Do I want to disable Flash to feel "safe" and prevent unpleasantries, such as flashing/blinking/buy-me ads at the cost of not being able to conduct the mandatory training module I have to complete for work?

Re:Clicked on the flash area in NoScript in the de

I have ./ on my noscript whitelist, do you?

Since dotslash.org and dotslash.com are spammy liknkfarm sites, that doesn't sound like a good idea.

Huh?

You can either whitelist or blacklist Flash and javascript in Opera. Cookies too, for that matter. And you can set these things on a site-by-site basis.

If you are using user javascript to whitelist Flash, you are doing it wrong.

Re:Remind me again... Why has Flash clipboard acce

[stewbacca]

..and by "access to the clipboard by default" you mean, just like any other program running has access to the clipboard? Unless, of course, you can tell me which of the daily apps I use can't actually copy and paste anything.

Repeat after me: different does not equal bad

[stewbacca]

No, it has to do with the fact that flash is such a piece of crap. Adobe software is so annoying to deploy & maintain. Adobe doesn't follow the normal rules for installers & msi files for acrobat and Adobe CS, and there are many, many errors in the limited documentation that they provide. Even getting .msi installers for flash is a hassle.

Uhhh...so says you? Just because Adobe products generally cater to creative types (illustration, photography, design&layout, etc.), who happen to generally not be technical types, doesn't make it bad, just different. I mean, just show what you typed about the .msi files and gibberish to any non-nerd and think about how silly your comment is when taken out of its comfy slashdot environment (i.e., into the real world).

Further, flash (and silverlight) are overwhelmingly used for web crap.

Well there's the proof right there! I hear .html is used overwhelmingly for web crap as well.

I think once code-geeks and designers alike stop complaining that Application-X doesn't work the way THEY want it to work, and understand there are different tools for different audiences, these silly threads (like Mac vs. PC, iPhone vs. Nokia/Blackberry, or Flash-sucks, for example) will die their slow and deserved deaths.

Re:Clicked on the flash area in NoScript in the de

[Vancorps]

What are you talking about? Windows doesn't require the user to run as administrator. Certain applications require it but there are thousands of corporations out that which don't give users that much access to their systems.

The underlying result here is that if the user didn't have permission to install software in the first place then this vulnerability would be a moot point.

In short, people aren't being smart and are being taken advantage of. It's no surprise, its why I always create a separate installation user for computers I setup for other people. They run their machines as limited users and then they don't wind up with too much crap on their systems.

Damn, my iPhone seems to be broken...

I don't seem to be able to replicate this behavior on my iphone...

Oh... right!

Please elucidate.

[uhlume]

"Better choices?" To do what Flash excels at? Name two (aside from Silverlight, which I don't think anyone is prepared to seriously evaluate, yet).

AJAX/DHTML isn't a better choice, it's a different choice. I'll give you that there's significant overlap in capabilities — and all else being equal, I'd rather see Javascript used where possible — but there are a lot of things you can do in Flash that you wouldn't want to try in Javascript, or which would be flatly impossible. (Including hiding your code and protecting it from tampering. Yes, those are legitimate goals in some cases.)

Java (or a Java-based language like Processing) might be a better choice in some respects, if it had Flash's near-ubiquitous install base, or even Flash's ease of installation on most platforms — but it doesn't and it isn't. Pragmatically speaking, if you don't want to torture your users (and/or your support staff) Java just isn't a very good option outside of controlled deployment environments like corporate intranets.

Even if they had universal browser support, SVG and VML aren't intended to do 90% of what Flash does.

So what are these other, better alternatives? I'm curious to know.

Re:Please elucidate.

[FictionPimp]

I think ajax is a better choice for 99% of every example of flash web design out there. Yes there are things flash/java can do that you can't do with html/css/javascript/some server side code, but those things are not really focused on web design.

As I've pointed out, I wouldn't want to write a game using ajax, flash works great for that. I can't make something like youtube easily without flash. But for almost every other use I can think of, ajax is better.

I would find it easier to give you more concrete explanations if I had examples of things you think flash does that merit its use in web design over html/css/javascript/and some server side code (php, asp, jsp, whatever).

You did give one example, hiding source code. This shows me already that you are missing one fundamental truth about the web. You can't use obscurity for security. Hiding the source code in the case of a webpage does nothing. It doesn't prevent me from sniffing the traffic between your server and your client (especially if I am the client, cause I have to decrypt that info for it to be usable anyways), it doesn't stop me from using a decompiler for flash, it doesn't give you any level of security greater then javascript obfuscation, which i might point out I feel is also worthless.

What really protects you is using well written server side code. Being able to read my javascript isn't going to give you any more insight into how to exploit my php page then just looking at what is getting sent via firebug. It wont save me if I'm not checking for sql injection and doing all that other best practices stuff.

If a company wants to protect their source code from being read on a web page, they really have a fundamental misunderstanding on how the web works. Next they will be suing for people hyperlinking to their site, or calling the google cache copyright infringement.

But again, if you have any web page examples (obviously a application such as a small 3d game would be better done in flash/java/native application), I'd be happy to give it a shot and explain why and how I feel it could be done better without flash.

Re:Please elucidate.

[uhlume]

Firstly, "you can't use obscurity for security," is the sort of common wisdom that fails rational examination. Of course you can use obscurity to provide some degree of security. It's simply foolish to rely on it as your sole deterrent. But code hiding/obfuscation is mostly an incidental benefit. As you say, it's quite possible to circumvent by using a decompiler and/or sniffer to figure out what's going on. More to the point — and the issue you didn't really address — is the relative difficulty of tampering with (running) code as compared to Javascript. XSS/script injection attacks against compiled Flash applications are next to impossible: you might be able to use a naively-written Flash application with unvalidated inputs to bootstrap a script injection attack targetting other page elements, but the application itself is effectively inviolate.

As for examples of (non-gaming) applications for which Flash is better suited than Javascript — I think I can come up with dozens of examples, but let me grab one from another open tab: an image-processing application demonstrating a sophisticated image redimensioning technique. (Which of course could also be done in Java — but what if you wanted to make an application like this as widely and easily accessible as possible? Java might not be the better solution.)

Re:Please elucidate.

[FictionPimp]

Again, you are giving an example of an application, not a web page. Something like that might be better done in flash. 99% of everything else is not. How often is flash used like that? Not very often. Flash is mostly used in places it does not belong. Drop down menus, main content of sites, submission forms, preloading images, etc. It simply does not belong in web design. It is a very locked in way of developing some tiny interesting applications, and should be used for nothing more.

What are 99% of websites? They are shopping carts, blogs, rss feeds, news, about us, forms, etc. All of that is perfectly done with just html/css and php/whatever. Javascript can make it better without losing any backwards compatibility and giving the user a lot of control over what happens. Flash can not.

As for security, you simply can not control what happens on the clients machine. You might want to, but it is impossible. Having actually tried to write XSS/script attacks, it is much harder then you make it sound. I'd be better off infecting my target with malware though direct means (email and social engineering)

But if that is the only reasons you have, it is not a convincing argument imho. I'm not going to start making my users login to a flash app instead of a good old html form for their security. SSL, html, and server side validation are enough for me.

Re:Please elucidate.

[uhlume]

What's your definition of an "application" versus a "web page"? That seems a pretty useless distinction on the modern web.

Invented (and thoroughly implausible) statistics like "99% of everything" aside, it's not hard to find egregious abuses of Flash on the web. It's also not hard to find abuses of popular AJAX and DHTML Javascript frameworks, or of images — or practically any other variety of web content you care to name. How many web sites have you seen, for instance, composed entirely of massive screen-resolution JPGs sliced or image-mapped into links? I don't believe that the use of Flash on the web is any more characterized by its most flagrant abuses than the use of JPGs, or animated GIFs, or Javascript, for that matter.

Ironically, it wasn't so very many years ago that use of Javascript garnered the same sort of attitude from die-hard web purists that the use of Flash does today. Now hardly anyone so much as blinks at our increasing reliance on Javascript for core functionality.

I'm not arguing that Flash is destined to play a similar role in the evolution of the web, or that it should. But to dismiss its usefulness out of hand seems needlessly limiting and short-sighted to me.

Re:Please elucidate.

[FictionPimp]

Flash = no end user choice, no open source tools, no transparency (in a design sense, not a physical one), no accessibility, currently a vendor lock in to a single company (do you want to use GNASH?), currently has large security flaws (according to recent slashdot articles), I can keep going on.

Javascript = consistent, well tested, poorly designed language. When used properly it is fully transparent to the end user, even allowing sites to work without it. Security flaws are now browser based and you can get browsers from many different vendors, you have no vendor lock in when you use javascript and there are tons of open source tools to make javascript development easy to do right (thank you jquery).

On a side note, java is now almost 100% open source, giving even more reason to use that for more application type programs.

And yes, there is a difference between an application and a web page. That window is shrinking, but even when it finally no longer exists there will be better options then flash.

The main reason javascript was hated was because of poor browser standards for javascript and the DOM. It was also hated becuase of the way javascript was used (which is only one of the many reasons I dislike flash). Finally, it was hated because of the bandwidth limitations of modems. All of these issues are mostly resolved though javascript frameworks, better browser support and broadband.

Regardless however, I for one do not want to use google flash maps or google flash mail. I love the flexibility real web design gives me. The only people this lock end benefits are the large companys who want to dictate how the computer world is ran. The only people who lose is everyone else.

Users

[fm6]

It's more secure, and simpler, to do

ssh -v -l user2 localhost

That way you don't have to mess with xhost and environment variable settings.

The fact that this kind of hack is possible on Unix/Linux but not on Windows has nothing to do with support for multiple or non-admin users. It's purely historical. Unix started out as a time-sharing OS, Windows was always a single-user OS. Unix assumes that it has multiple users sitting in front of serial terminals, Windows assumes it has one user sitting in front of the actual computer.

When the time came to adapt Unix to the GUI era, people assumed that people would continue to use it as a time-sharing system, so they invented graphic monitor technology to support GUIs over the wire: X-Windows. That assumption was economically flawed: graphic terminals are not a big cost savings over PCs, and indeed X-Terminals never achieved the necessary economies of scale to be even comparably priced. So X-Windows mostly ended up being implemented in Unix workstations. If Unix GUIs had been designed with the right assumptions (and some proprietary GUIs actually were) the GUI system wouldn't have this handy remote-user feature.

What's a Hard-To-Delete URL?

[elex]

Can anyone give me an example?

IE + No! Flash seems immune

[MrDoh1]

For those of us that do still use and prefer Internet Explorer (and know how to use it safely and keep it clean), a free application called No! Flash exists and can be had from http://www.bbshare.com/.

This little tray app, when enabled, seems to block the exploit completely, at least on Windows 2000 with IE6.

The same little application optionally also blocks Javascript as well as a few other things.

I discovered it while looking for something to block the annoying flash-based ads on Slashdot. Who knew it would actually keep me safer as well.


And the normal disclaimer, I'm not affiliated, just found the application and think it's quite useful.

Re:Clicked on the flash area in NoScript in the de

[bogado]

Why you have to do it, why this is not the default? The problem is that you started with a faulty concept and then to fix without breaking every other application is hard.

As I said before, I know MS is trying hard to fix this, but that was not my point, I was only pointing out that concepts can be broken independently of their implementation.

Score!

Man, I thought I was just being silly adding that topic to the OSX forum, but now I'm getting quoted in security discussions on slashdot? Hot diggity-damn!

(and if you're wondering, I use adblock at home, but was getting hijacked on my work computers)

Flash Ads are a real problem

Premise: there is such thing as malicious Flash. Flash from unknown sources should always be blocked by users. (If you disagree with that premise, then the rest of my post will be meaningless to you.)

A number of legitimate sites have been seen to host ads carrying the attack..

Flash ads suck, because it's hard to audit someone else's compiled code. After the last one of these incidents, I played around with some flash disassemblers and came to the conclusion that maybe I could audit flash ads, but it would be time consuming -- far more expensive (at least two orders of magnitude) than the potential revenue from running the ad. I guess there might be some Adobe product that disassembles them even better, but even so, the problem will remain. I don't want to get into an obfuscation-vs-auditing arms race. Someone out there will outsmart me. Ad-by-ad auditing isn't viable.

When the ad people (e.g. Ruxton) send me Flash shit, I feel dirty. It's all well and good to recommend to your users that they run a Flash blocker or don't install the Flash plugin to begin with. And that is what I do recommend; Flash may have some good use that I haven't heard of yet, but its security problems mean it has no place on the internet. But I can't count on my site's users to do that. Every flash ad is a potential disaster waiting to happen to other people, but when my site is the vector for their risk, ugh.

One ethically-sound approach, of course, is not run the ads. Just say "sorry, we don't do flash ads." But saying no to people who pay the money is hard. It's really hard. And that's especially true if my competitors don't say no.

Another ethically-sound approach is to not take responsibility for problems that other people have inflicted upon themselves. If you install Flash on an internet-connected computer, you bear responsibility for doing a thing that you should have known is harmful to yourself. It's an ethically valid stance, but it's also really hard-assed and insensitive. I hate doing that. But it's what I do.

I wish we could all somehow band together and make "No Flash Ads" an industry standard, so that they are the exceptional weirdos when they ask for it, instead of me being the exceptional weirdo for saying no. If we did that, then I could say no.

Right now, I can't. Ad money puts the food on my table.

Re:Clicked on the flash area in NoScript in the de

One more point for the jumping on the "omg flash is the sux" bandwagon. This has been possible in javascript for years (execcommand("copy") anyone?)

Re:Clicked on the flash area in NoScript in the de

[davidsyes]

Flash and Malware? Just call it MASHWare... you're MASHED up against the wall if on a give site you NEED mal, flal, umm, FLASH to use the site...

Seems like Flash will become the tool/exploit of choice and become a FLASHBANG and clog up the tubes and pipes, blnding users on the Internets when they don't wear DHLS-approved UV/Flash-Resistant eye wear such as gold-plated goggles.

even better on ubuntu

[Xtifr]

closing the tab in firefox 3.0.1 on Ubuntu 8.04 works for me.

On Ubuntu (and presumably other X11-based systems), the "middle-click clipboard" (which is what I use 90% of the time) is completely unaffected. Only the annoying ^X/^C clipboard, which I almost never use, is affected. I cut-and-pasted the above quote even though ^V currently gives me: http://www.evil.com./

I could probably be hit with the real version of this thing and not notice for upwards of a week. :)

(I'll bet money that there's no rebooting required to clean this out either. At the very worst, restarting the X server should be more than adequate.)

just cleaned something up

[djb710]

i just had one computer that was affected with some sort of variant of this flash banner malware. It had a window warning of viruses, at it claimed to be xp2008 virus scan. It was installed and i removed it from add/remove and then i shut down 2 processes to get symantec running. symantec eventually picked up 13 other viruses. All i have to say is, there's going to be alot of infected computers in the near future if they don't clean this mess up.

Re:Clicked on the flash area in NoScript in the de

[falconwolf]

Yes flash block do have a list of allowed site, and it alone can stop the attack.

Okay, guess I'll check it out.

Falcon

Did you copy some other text?

[falconwolf]

No, I didn't.

Falcon

Re:Clicked on the flash area in NoScript in the de

[Hurricane78]

The idea of the security model in Vista - is it was meant to be, before the crooks modified it - actually is one level better than every other desktop OS, and even most server OSes. Trusted computing is a good thing, if *YOU* are the one who is the boss/decider over his system.
Unfortunately they decided... no to trust... YOU! The control goes to MS. And MS asks the media industry. The rest follows from that.

So Vista probably would be able to pull it off... theoretically...
In reality, there are the usual non-fixed security holes, really retarded "security" schemes (like trusting setup executables, depending on their file name), and the typical Microsoft-attitude, plus the problem that it's the evil version of TCPA.

But you are right. If the general architecture is so broken, that it does not even allow the implementation of a secure system without nearly creating a virtual CPU, then we can safely say that there is no sense it implementing it, and therefore it will never work correctly. (Of course, then you would simply replace the general architecture (Eg. install another OS).

Re:Clicked on the flash area in NoScript in the de

[Hurricane78]

I tried Windows XP once for a year in user-mode, where you had to do something like sudo to use administrator-stuff.
It was a major annoyance, without actually adding much security.

You *can* run it that way. But it certainly is not made for it. This "sudo" was an open-source tool that I had to add myself.
And still I often ran into problems with applications trying to access non-user stuff.
So you can say that the application developers are responsible too. But not solely.

Well, now I use Linux, so the problems are gone (but new ones *emerged* *hint*hint*)