Adobe Flash Ads Launching Clipboard Hijack Attacks

bullyBEEF writes "Malicious hackers are using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks. In the Web attacks, which affect Mac, Windows, and Linux users running Firefox, IE, and Safari, bad guys are seizing control of the machine's clipboard (probably using the Flash command setClipboard) and inserting a hard-to-delete URL that points to a fake anti-virus program. A number of legitimate sites have been seen to host ads carrying the attack — including Newsweek, Digg, and MSNBC.com. Researcher Aviv Raff offers a harmless demo of how it's done."

Clicked on the flash area in NoScript in the demo

[Derek+Pomery]

But although the flash launched, that wasn't enough to get the attack going.
And given how much it takes for me to do even that, I don't think NoScript users have much to be worried about.

flashblock

[owlnation]

as though we really need yet another reason to use flashblock...

This one small piece of technology has made browsing the web bearable again. I can't ever thank its developers enough.

Re:flashblock

[enoz]

You could just create multiple profiles in Firefox, and then load the secondary profile with "-no-remote" so that it doesn't intercept any URLs or clicks that would normally load in your primary browser.

Re:flashblock

[gstoddart]

You could just create multiple profiles in Firefox, and then load the secondary profile with "-no-remote" so that it doesn't intercept any URLs or clicks that would normally load in your primary browser.

But, you still can't (AFAIK) run two instances of the browser running under different profiles at the same time. Sometimes it would be nice to have 2 different profiles running at the same time so you could go to sites you trust in one, and sites you don't in another.

Now, I'm perfectly willing to be told I'm wrong (in fact, if someone can I'd love to know how), but I have yet to find a way to have two profiles of Firefox running under Windows at the same time in the same Windows session. It would be nice to copy a link from a trusted site into a browser set up to not trust anyone and be in a very locked down mode.

For me, I would find that to be a useful feature -- two browsers with two profiles, and as long as the two have distinct visual settings, you can have the best of both worlds.

Cheers

Re:flashblock

[JayGuerette]

But, you still can't (AFAIK) run two instances of the browser running under different profiles at the same time. Sometimes it would be nice to have 2 different profiles running at the same time so you could go to sites you trust in one, and sites you don't in another.

Now, I'm perfectly willing to be told I'm wrong (in fact, if someone can I'd love to know how), but I have yet to find a way to have two profiles of Firefox running under Windows at the same time in the same Windows session.

Yes, you are completely wrong. My wife and I have discrete Firefox profiles on one computer, and often have 2 browser windows open, one on each profile. She has her own plugins, preferences, bookmarks, & history; and I have mine. Use the profile manager to create the profiles, add "-no-remote -p profilename" to a shortcut, and you're good to go. There was a plugin for FF2 called FireTitle, that allowed us to put our profile names in the window title, but alas it's not been updated for FF3.

Re:flashblock

[black_lbi]

as though we really need yet another reason to use flashblock...

I've checked the demo, and although the flash is blocked, it initially modifies my clipboard content. But I can use ctrl-c to replace it with something else. If the flash isn't blocked, ctrl-c is useless.
So flashblock kinda helps you, but you're still vulnerable.

Re:flashblock

[enoz]

Try this for overriding an incompatible extension:

Open the .xpi as a zip file and extract install.rdf

Edit the em:maxVersion tag and set to 3.*, or whatever version you want it valid until.

Insert the updated install.rdf into the .xpi and install into Firefox.

Check that it doesn't implode.

Enjoy.

I have successfully used this with several extensions, YMMV.

confirmed on mac os x 10.5.4

[v1]

it copied "http://www.evil.com/ to my clipboard. Any app I pasted into pasted that url. I tried many apps to copy something to the clipboard but it remained evil.

The article says in one place you have to restart, and in another you have to close your browser window. I found that closing safari was not sufficient, and I had to quit safari to successfully copy different data into my clipboard with other apps.

Re:confirmed on mac os x 10.5.4

[Mr.+Marabou+Man]

Yeah ? Interesting. On my setups (Firefox 3.0.1 on Slackware & Tiger, Safari 3.1.2 on Tiger), closing the tab is sufficient to make it go away. YMMV, obviously.

Re:confirmed on mac os x 10.5.4

[fluffman86]

ditto. closing the tab in firefox 3.0.1 on Ubuntu 8.04 works for me.

Re:confirmed on mac os x 10.5.4

[mr_mischief]

Closing just the tab worked for me on these browsers on Mandriva:

Firefox 3.0.1 (from Mozilla's site)
Firefox 2.0.0.16 (from the repository).
Opera 9.50 (from Opera's site)

Too lazy right now to fire up Windows or Mac.

Re:confirmed on mac os x 10.5.4

[falconwolf]

it copied "http://www.evil.com/ to my clipboard. Any app I pasted into pasted that url. I tried many apps to copy something to the clipboard but it remained evil.

The article says in one place you have to restart, and in another you have to close your browser window. I found that closing safari was not sufficient, and I had to quit safari to successfully copy different data into my clipboard with other apps.

Using Firefox quiting wasn't enough, but logging out of the user then logging back in worked. That's another good reason to have a non superuser, non admin user user profile.

Falcon

Re:confirmed on mac os x 10.5.4

[falconwolf]

On my setups (Firefox 3.0.1 on Slackware & Tiger, Safari 3.1.2 on Tiger), closing the tab is sufficient to make it go away.

My setup is Firefox 2.0.0.6 running on 10.4.11 and I had to logout of my user account then log back in. Simply quiting Firefox didn't work.

Falcon

Write Filter = Best Antivirus

[Z34107]

Good thing my laptop runs EWF drivers. Any changes made to the C volume (a solid state drive) made in memory instead. Everything works like you'd expect it to - delete a file and it's gone - until you reboot, that is, and all of your in-memory changes are discarded.

I'd like to see XP Antivirus Pro 2008 thoroughly embed its tendrils... and then survive a restart. No changes are committed unless I manually force it.

Considering that Circuit City will sell you a PC with 6 GB of RAM for $999, I wonder why EWF isn't a standard feature. Probably because somebody would forget that defragging your hard disk would exhaust available RAM and then die, or wonder where that program they just installed went after they rebooted...

Linux has a similar filesystem, I believe it's used for boot CDs. It pairs the read-only volume with a RAM drive, and all writes are cached there and discarded.

Re:Write Filter = Best Antivirus

[bgerlich]

Try searching in desktops, laptop is not the only option in most stores ... yet.

Re:Write Filter = Best Antivirus

Linux has a similar filesystem, I believe it's used for boot CDs. It pairs the read-only volume with a RAM drive, and all writes are cached there and discarded.

UnionFS works great for this. I work on an embedded Linux device, and use a SquashFS root on a 8MB NOR flash chip, with a union-mounted TmpFS filesystem on top. When release firmware ships, only the SquashFS base is ever used, so memory is free for apps. But for development, it's really convenient to be able to throw on a big file temporarily, try things out, then just hit the reset switch to wipe things back to a default state.

I've seen a couple of bootable CD distros that use this same combo (SquashFS + TmpFS via UnionFS). The even more interesting possibilities involve a read-only CD or DVD + a USB keyfob, which provides a non-volatile overlay.

Re:Write Filter = Best Antivirus

[SirMeliot]

No no no no!

EWF != malware protection.

If the filter gets flushed to disk (maybe you apply an update to something), the malware gets fulshed too. Plus Microsoft provide a nice API to EWF so if the malware author wants to, all he has to do is load the EWF dll and make a single call and he's in there forever!

Even if the malware isn't flushed there's nothing to prevent you picking it up again next boot.

Shockwave...

[azav]

I'll bet you can do it too in Shockwave with copyToClipboard. It is a little trickier though as copytoClipboard holds the reference to the Director member copied IIRC. Thinking about it, any web service that supports the clipboard should be able to do this.

How to fix this:

[MrMista_B]

http://adblockplus.org/en/

Problem solved!

Seriously, blocking ads and javascript and flash stuff is like a game for me now, I get a little thrill of victory every time I block one of those things, it's great.

Re:How to fix this:

[redcaboodle]

You have problems....

Surely - because with Adblock you block AFTER you have seen the Flash. So unless the Flash comes from an already blocked source (*.doubleclick.com?) it will already have done its evil magic.

Only if you block all Flash you did not specifically allow you are clear. NoScript should work, then.

And some of us have to develop in Flash (stupid designer - stupid clients) so NoScript is out of the question.

Re:How to fix this:

[tlhIngan]

http://adblockplus.org/en/

Problem solved!

Seriously, blocking ads and javascript and flash stuff is like a game for me now, I get a little thrill of victory every time I block one of those things, it's great.

May I suggest a solution that's better, and doesn't leech?

Try NoScript - http://noscript.net/

It doesn't leech since static banner ads load up just fine, but NoScript blocks flash, java, and other plug-ins (PDF, etc) by default. It also disables javascript on a per-domain basis (plus detects and blocks XSS attacks).

And yet, if you want to see that YouTube video, just click the placeholder, and it'll ask if you really want to load whatever it is. For Javascript, click the icon and you can enable and disable the various scripts that may exist on a page (many across many domains). Nothing more fun than allowing javascript from the primary site, but disable javascript that loads ads and other junk.

Plus, having javascript off by default makes the web go much faster. It can always be re-enabled later on, leaving horrible CPU-wasting scripts from even running.

Me personally, I run a combination of FlashBlock + NoScript. This has a wierd effect as NoScript blocks the flash, click it, and then FlashBlock blocks it, then sometimes NoScript blocks it again. Sometimes a hassle, but saves me from inadvertent clicks.

The only XSS at times I find annoying is when purchasing from sites that use Paypal. But that's simply a click, then "Unsafe Reload" (reload the page with XSS), which fixes it.

It's amazing how many sites work great with NoScript, and how many sites are so poorly coded they need javascript to handle a hyperlink.

Re:How to fix this:

Not quite. I have ABP installed on FF3 and unless you specifically tell it to block Flash, it will still copy to the Clipboard, on Windows:

      http://www.evil.com

Lame results with Linux

[keeboo]

Well I accessed the page under Linux and Firefox 2 and the following things happened:

The middle mouse button pastes as usual.
The hijacked content only appeared with CTRL-V.

All I need to do is to close the page tab and it's gone.

Disappointing.

Not affected it seems ...

[YeeHaW_Jelte]

... on this old system with SuSE 9.1, FF 2.0.014, flash 7.

Hoorah for lazy upgrading ;)

Re:It may not be this

[riceboy50]

If you are using FF3 and beta Firebug, then you are probably seeing the DOM corruption bug that I see when ads are inserting into the DOM. The symptom is that the whole page disappears except for that ad. I've seen this behavior on several sites, including /. I haven't figured out a remedy yet except to disable Firebug, and we all know that's not going to happen!

Confirmed in Opera 9.25

[Rockoon]

I realize its probably not the latest version of Opera...

Opposite experience

[Anpheus]

I enabled the object in Firefox 3.0.1 with NoScript 1.7.8, Flash version is 9.0r124, and yes, it did set my clipboard.

Re:What about Opera?

[hellwig]

Tried with Opera 9.51 on gOs/Ubuntu 7.10 and it did copy the url to my clipboard which I was unable to replace (with ctrl+c) until I closed the tab. After closure, I regained control of my clipboard.

I tried using a user javascript file that would block all flash content and allow me to individually activate the various flash files, but I had problems with things like YouTube, and eventually I abandoned it when certain websites I frequented used Flash for the most obsurd reasons (don't remember which, this was over a year ago). Might be worthwhile to bring it back.

Re:Clicked on the flash area in NoScript in the de

Now I'm pissed why on earth are flash applications allowed to even go near our clipboards without explicit permission?

I remember a decade ago there were javascript functions to manipulate the clipboard but at least browser vendors have the common sense to disallow such actions without at least explict permissions.

Apparently security and privacy are second class citizen to Adobe. I'm very concerned.. this whole issue was addressed years ago..WTF?!?

NoScript sounds like something that you need.

[falconwolf]

I used to have ZoneAlarm as well. IMHO it is much better at configuring things like JavaScript access, etc. It has a very intuitive interface and is easily customizable.

Yea, I loved how ZoneAlarm was configurable. I had it set by default to block all Java, objects, and scripts then when I came across a website I wanted to allow them I could quickly configure it. If I wanted to, and I did a number of tymes, I could temporarily let a website use them. How well do NoScript and Flashblock work though in Firefox 2.0.0.6? That's what I'm using. I could upgrade to Firefox 3 but I wonder if I can still use my current version.

Falcon

Re:what sort of flash?

No thats happening in Auckland New Zealand
http://www.stuff.co.nz/4662948a11.html

Re:It may not be this

[riceboy50]

Yeah, I know. I saw that they released an update today, which I'm not sure if it addresses the issue or not, but it was happening to me if the extension was enabled at all—regardless of whether I had the panels enabled or not.

Re:Yes, its annoying

[x2A]

"The thing is, there are legitimate reasons why Flash, or any other web app, may access the clipboard"

Yep, which is why I actually have the browser ask me if an attempt is made whether to allow it. But, flash adverts shouldn't mess with your clipboard, which is why I believe the banner companies should do the screening/filtering, not that flash should have the functionality removed.

Re:Hard to remove?

[budgenator]

you can in KDE just open k;ipper, In windows I'd imagine I'd open wordpad and ctrl-v to see what was there.

Re:Hard to remove?

[muffen]

... yea, or you can RTFA and reach the following conclusion.

Demo:
(BEWARE: If you click on the demo link, your clipboard is automatically hijacked and will only be released if the browser window is closed).

Exploit:
From TFA
My clipboard has been hijacked with this:
[ malicious URL deleted ]
And once it's in the clipboard, I can't copy anything else over it until I've restarted the machine.

So basically, real exploit != demo exploit.

Re:Clicked on the flash area in NoScript in the de

[bogado]

Yes flash block do have a list of allowed site, and it alone can stop the attack.

Re:Clicked on the flash area in NoScript in the de

[Phydaux]

I can only perceive malicious reasons why Web developers would try to force people to use these technologies.

Never assume malice when stupidity will suffice.