Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Flash Ads Launching Clipboard Hijack Attacks

Posted by kdawson on from the poisoning-the-ad-pool dept.

bullyBEEF writes "Malicious hackers are using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks. In the Web attacks, which affect Mac, Windows, and Linux users running Firefox, IE, and Safari, bad guys are seizing control of the machine's clipboard (probably using the Flash command setClipboard) and inserting a hard-to-delete URL that points to a fake anti-virus program. A number of legitimate sites have been seen to host ads carrying the attack — including Newsweek, Digg, and MSNBC.com. Researcher Aviv Raff offers a harmless demo of how it's done."

7 of 353 comments (clear)

  1. Re:Yes, its annoying by QuantumG · · Score: 4, Insightful

    Umm.. yeah, and then you'll say "sure, install this program I didn't even ask to install". If that's something to be worried about then no amount of "security" is going to protect these people.

    --
    How we know is more important than what we know.
  2. Re:Clicked on the flash area in NoScript in the de by unlametheweak · · Score: 3, Insightful

    These days you have to go out of your way to avoid flash by learning about and installing less popular Web browsers like Firefox and installing extensions (Add-ons) like NoScript that you have to educate yourself about. These days even browsers like Firefox come pre-installed with crapware and bloatware like Microsoft DRM and Shockwave Flash. These things I have manually disabled.

    I often hear people on Slashdot claiming that Flash is safe, but I also constantly hear about flash-based exploits as well. To most Slashdot users I would think Flash would be relatively safe, however most people are not Slashdot users.

    The Internet is becoming less accessible to me as the years go by. There is no need for Flash or Java or JavaScript (to navigate to a URL for example). I can only perceive malicious reasons why Web developers would try to force people to use these technologies.

    When a Web site says Flash, JavaScript, Silverlight, Internet Explorer or anything else is required then that Website is never again visited. One must separate the wheat from the chaff.

  3. Re:Yes, its annoying by jesser · · Score: 4, Insightful

    But I fail to see how you can leverage this to gain privs.

    1. Every 100ms, put some evil UNIX commands on the clipboard, surrounded by line breaks. I'm sure you can come up with a one-liner that compromises a user's system.

    2. Hope someone will paste into a Terminal window while your evil page is open.

    I paste into Terminal windows all the time. For example, I might copy an error message and then grep another file for the message. If there's an evil web page open while I do that, the paste will own me.

    --
    The shareholder is always right.
  4. Re:Clicked on the flash area in NoScript in the de by Hurricane78 · · Score: 5, Insightful

    > When a Web site says Flash, JavaScript, Silverlight, Internet Explorer or anything else is required then that Website is never again visited. One must separate the wheat from the chaff.

    This maybe is true, except if you want to do a real web application. Loading a whole HTML-page, just to change some state of an (non-form-element) interface element... That's insanity.
    You've done the same that someone in a trauma does. You're created false associations. It's not the technology or even the virtual machine that's bad. It's the implementation.
    Your argument is the same, as if someone who had only bad experiences with x86, while having good ones with his old 86000s, argues that "if an application requires x86, then that application is never again used."
    The same is true for OSes. Someone could implement Windows XP in a proper manner, and make it a very safe system. (I did not say that someone would want, tough ;)

    Or in short:
    Someone can crack a bad JavaScript VM and contaminate the rest of the system. And someone could crack a bad OS, and contaminate the rest of the system. There are even examples for this on virtualization VMs. (Heck, the system's clipboard is accessible to all 3 of them, on modern VMs!)

    So my vote goes for Replacing the JavaScript VM with a hardened generic VM, with a fixed interface to the outside world, and adding JavaScript, Python, Ruby, Haskel, Ocaml and more as languages to it (via add-ons, or pre-compiled?)

    Okay, I think one should remove at least one layer of abstraction/VM and harden the OS so that even OpenGL on JavaScript would not have a performance loss. (Yes, this would be useful. Eg. for quick dynamic data visualization or entertainment applications.)

    --
    Any sufficiently advanced intelligence is indistinguishable from stupidity.
  5. Re:Write Filter = Best Antivirus by WK2 · · Score: 3, Insightful

    So, basically, writing to your hard drive is twice as hard as it is on a normal computer? And you call that a feature that should be installed by default?

    Your original problem is that have programs installed that do stuff to your computer that you don't want. And your solution is an extra layer that those programs are not designed to penetrate. There are two problems with having such software installed by default:
    a) it would be twice as hard to do stuff. I'm sure you realize this, and have already gotten used to it, and accept it.
    b) if this software became popular, then any malicious, or just poorly behaved software that does stuff you don't want, such as write to the hard disk, will write to the hard disk as normal, and then penetrate your extra layer of obscurity to actually write to the hard disk. Programmers would be somewhat inconvenienced, and would have to use special libraries for writing to the hard disk, and users would be annoyed.

    This EWF software you speak of is for a niche market, and would fail for everybody if it became popular. It's sort of how Linux doesn't have many viruses. Except Linux not having viruses is a side effect, and there are plenty of other reasons to use Linux if it became popular and malware authors decided to target it, whereas your software would fail if it became popular, and malware authors targetted it.

    It's kind of like how the Windows outgoing firewall is useless. Every piece of malware knows to put themselves on that whitelist. Whereas if you use a software firewall that is not installed by default, then chances are good that the malware author didn't spend time on bypassing that one.

    --
    Write your own Choose Your Own Adventure. http://www.freegameengines.org/gamebook-engine/
  6. Re:Go tell Adobe by MightyMartian · · Score: 3, Insightful

    After a decade of horrors visited upon the world by Internet Explorer, you'd think everyone would view such a large proportion of content being delivered via a proprietary format and software (one, mind you, that renders via software and doesn't even have a functioning 64 bit version) as so incredibly dangerous and foolish as to dismiss it.

    If just as much effort were put into a better streamlined and functional Javascript/ECMAscript interpreter based on open specs as is being put into reverse engineering Flash and now trying to figure out ways to secure it, we wouldn't even need the goddamn thing to begin with. There are better scripting engines than flash, there are better video formats than Flash, so why the fuck is so much attention paid to something that's so inherently flawed?

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
  7. Re:Clicked on the flash area in NoScript in the de by jacquesm · · Score: 3, Insightful

    Worked here as well. One more point against flash, what on *earth* were they thinking when they put that 'feature' in there ?

    --
    MP3 Search Engine