Adobe Flash Ads Launching Clipboard Hijack Attacks

bullyBEEF writes "Malicious hackers are using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks. In the Web attacks, which affect Mac, Windows, and Linux users running Firefox, IE, and Safari, bad guys are seizing control of the machine's clipboard (probably using the Flash command setClipboard) and inserting a hard-to-delete URL that points to a fake anti-virus program. A number of legitimate sites have been seen to host ads carrying the attack — including Newsweek, Digg, and MSNBC.com. Researcher Aviv Raff offers a harmless demo of how it's done."

Clicked on the flash area in NoScript in the demo

[Derek+Pomery]

But although the flash launched, that wasn't enough to get the attack going.
And given how much it takes for me to do even that, I don't think NoScript users have much to be worried about.

what sort of flash?

"Malicious hackers are using booby-trapped Flash banner ads to hijack clipboards..."

booby flash?

flashblock

[owlnation]

as though we really need yet another reason to use flashblock...

This one small piece of technology has made browsing the web bearable again. I can't ever thank its developers enough.

Re:flashblock

[enoz]

You could just create multiple profiles in Firefox, and then load the secondary profile with "-no-remote" so that it doesn't intercept any URLs or clicks that would normally load in your primary browser.

Re:flashblock

[smittyoneeach]

This is /., where over-engineering would be considered a virtue if laziness hadn't won out.

Re:flashblock

[FictionPimp]

I have talked quite a few companies out of using flash while consulting for them. I have used many legitimate reasons. Accessibility for the disabled, backwards compatibility, not using a business model dependent on a 3rd parties proprietary software, and the general annoyance of most users when they encounter a flash based website. I have found that a nice clean site developed with good web standards can do 99% of what most people want to do with flash. It will fail better on older browsers, it will load faster (in most cases), and it will be more usable by the customer with the least amount of work (larger fonts, screen readers, alternate color schemes, opening windows in new tabs, bookmarking, etc).

IMHO, companies that choose to use flash do so because they don't have the resources to see there are better choices AND they already know flash.

Re:flashblock

[gstoddart]

You could just create multiple profiles in Firefox, and then load the secondary profile with "-no-remote" so that it doesn't intercept any URLs or clicks that would normally load in your primary browser.

But, you still can't (AFAIK) run two instances of the browser running under different profiles at the same time. Sometimes it would be nice to have 2 different profiles running at the same time so you could go to sites you trust in one, and sites you don't in another.

Now, I'm perfectly willing to be told I'm wrong (in fact, if someone can I'd love to know how), but I have yet to find a way to have two profiles of Firefox running under Windows at the same time in the same Windows session. It would be nice to copy a link from a trusted site into a browser set up to not trust anyone and be in a very locked down mode.

For me, I would find that to be a useful feature -- two browsers with two profiles, and as long as the two have distinct visual settings, you can have the best of both worlds.

Cheers

Re:flashblock

[FictionPimp]

I've seen good flash work. For example there was a drum kit builder I ran across where you could select drums, change colors, locations, etc. It was done really well and would of been a messy project to do with javascript. Another great example might be a 3d view of a car that lets you adjust options via a menu system.

I'm also a fan of flash games. It lowers the level of entry for game writers and performs well. However, most of the flash people want to do seems to be in places where it simply does not belong. For example site navigation, or content.

I remember trying to look up local car dealerships in my area to buy a new car. I couldn't stand how every site needed to pre-load, play music (with no option to turn off) and animate with sound every single content switch. I just wanted to look at what was on their lot, I wanted to open up the items I was interested in on separate tabs so I could compare them. The experience was so horrible I ended up just visiting the dealers (of course maybe that was their idea....)

Re:flashblock

[JayGuerette]

But, you still can't (AFAIK) run two instances of the browser running under different profiles at the same time. Sometimes it would be nice to have 2 different profiles running at the same time so you could go to sites you trust in one, and sites you don't in another.

Now, I'm perfectly willing to be told I'm wrong (in fact, if someone can I'd love to know how), but I have yet to find a way to have two profiles of Firefox running under Windows at the same time in the same Windows session.

Yes, you are completely wrong. My wife and I have discrete Firefox profiles on one computer, and often have 2 browser windows open, one on each profile. She has her own plugins, preferences, bookmarks, & history; and I have mine. Use the profile manager to create the profiles, add "-no-remote -p profilename" to a shortcut, and you're good to go. There was a plugin for FF2 called FireTitle, that allowed us to put our profile names in the window title, but alas it's not been updated for FF3.

Re:flashblock

[black_lbi]

as though we really need yet another reason to use flashblock...

I've checked the demo, and although the flash is blocked, it initially modifies my clipboard content. But I can use ctrl-c to replace it with something else. If the flash isn't blocked, ctrl-c is useless.
So flashblock kinda helps you, but you're still vulnerable.

Re:flashblock

[enoz]

Try this for overriding an incompatible extension:

Open the .xpi as a zip file and extract install.rdf

Edit the em:maxVersion tag and set to 3.*, or whatever version you want it valid until.

Insert the updated install.rdf into the .xpi and install into Firefox.

Check that it doesn't implode.

Enjoy.

I have successfully used this with several extensions, YMMV.

confirmed on mac os x 10.5.4

[v1]

it copied "http://www.evil.com/ to my clipboard. Any app I pasted into pasted that url. I tried many apps to copy something to the clipboard but it remained evil.

The article says in one place you have to restart, and in another you have to close your browser window. I found that closing safari was not sufficient, and I had to quit safari to successfully copy different data into my clipboard with other apps.

Re:confirmed on mac os x 10.5.4

[ScentCone]

confirmed on mac os x 10.5.4

I'm sorry, but you're using a Mac and anything like this is completely impossible. Why do you hate Mac users, that you would say such a disturbing thing? You are mean.

Re:confirmed on mac os x 10.5.4

[Mr.+Marabou+Man]

Yeah ? Interesting. On my setups (Firefox 3.0.1 on Slackware & Tiger, Safari 3.1.2 on Tiger), closing the tab is sufficient to make it go away. YMMV, obviously.

Re:confirmed on mac os x 10.5.4

[pushing-robot]

Here on 10.5.4/Safari 3.1.2, closing the browser window/tab or simply navigating to another page fixes it.

Still, it's disturbing that a web site can copy data to the clipboard without permission. Browser makers need to make plugin content opt-in (a la flashblock), or at least run plugins in a very limited sandbox until the user requests otherwise.

Re:confirmed on mac os x 10.5.4

[fluffman86]

ditto. closing the tab in firefox 3.0.1 on Ubuntu 8.04 works for me.

Re:confirmed on mac os x 10.5.4

[mr_mischief]

Closing just the tab worked for me on these browsers on Mandriva:

Firefox 3.0.1 (from Mozilla's site)
Firefox 2.0.0.16 (from the repository).
Opera 9.50 (from Opera's site)

Too lazy right now to fire up Windows or Mac.

Re:confirmed on mac os x 10.5.4

[falconwolf]

it copied "http://www.evil.com/ to my clipboard. Any app I pasted into pasted that url. I tried many apps to copy something to the clipboard but it remained evil.

The article says in one place you have to restart, and in another you have to close your browser window. I found that closing safari was not sufficient, and I had to quit safari to successfully copy different data into my clipboard with other apps.

Using Firefox quiting wasn't enough, but logging out of the user then logging back in worked. That's another good reason to have a non superuser, non admin user user profile.

Falcon

Re:confirmed on mac os x 10.5.4

[falconwolf]

On my setups (Firefox 3.0.1 on Slackware & Tiger, Safari 3.1.2 on Tiger), closing the tab is sufficient to make it go away.

My setup is Firefox 2.0.0.6 running on 10.4.11 and I had to logout of my user account then log back in. Simply quiting Firefox didn't work.

Falcon

Write Filter = Best Antivirus

[Z34107]

Good thing my laptop runs EWF drivers. Any changes made to the C volume (a solid state drive) made in memory instead. Everything works like you'd expect it to - delete a file and it's gone - until you reboot, that is, and all of your in-memory changes are discarded.

I'd like to see XP Antivirus Pro 2008 thoroughly embed its tendrils... and then survive a restart. No changes are committed unless I manually force it.

Considering that Circuit City will sell you a PC with 6 GB of RAM for $999, I wonder why EWF isn't a standard feature. Probably because somebody would forget that defragging your hard disk would exhaust available RAM and then die, or wonder where that program they just installed went after they rebooted...

Linux has a similar filesystem, I believe it's used for boot CDs. It pairs the read-only volume with a RAM drive, and all writes are cached there and discarded.

Re:Write Filter = Best Antivirus

[bgerlich]

Try searching in desktops, laptop is not the only option in most stores ... yet.

Re:Write Filter = Best Antivirus

[x2A]

"a PC with 6GB of RAM for $999? Really? That's funny"

That's not funny. Funny would involve the computer coming from a man walking into a bar after crossing the road on a chicken, or asking many of those 6gigs of RAM it would take to change a lightbulb. There's no chickens involved here, and definitely no light bulb. I deduce that you're using sarcasm, maybe to convey the idea that you don't believe you can get a computer out of 'em with 6gig RAM... am I right?

Re:Write Filter = Best Antivirus

[WK2]

So, basically, writing to your hard drive is twice as hard as it is on a normal computer? And you call that a feature that should be installed by default?

Your original problem is that have programs installed that do stuff to your computer that you don't want. And your solution is an extra layer that those programs are not designed to penetrate. There are two problems with having such software installed by default:
a) it would be twice as hard to do stuff. I'm sure you realize this, and have already gotten used to it, and accept it.
b) if this software became popular, then any malicious, or just poorly behaved software that does stuff you don't want, such as write to the hard disk, will write to the hard disk as normal, and then penetrate your extra layer of obscurity to actually write to the hard disk. Programmers would be somewhat inconvenienced, and would have to use special libraries for writing to the hard disk, and users would be annoyed.

This EWF software you speak of is for a niche market, and would fail for everybody if it became popular. It's sort of how Linux doesn't have many viruses. Except Linux not having viruses is a side effect, and there are plenty of other reasons to use Linux if it became popular and malware authors decided to target it, whereas your software would fail if it became popular, and malware authors targetted it.

It's kind of like how the Windows outgoing firewall is useless. Every piece of malware knows to put themselves on that whitelist. Whereas if you use a software firewall that is not installed by default, then chances are good that the malware author didn't spend time on bypassing that one.

Re:Write Filter = Best Antivirus

[SirMeliot]

No no no no!

EWF != malware protection.

If the filter gets flushed to disk (maybe you apply an update to something), the malware gets fulshed too. Plus Microsoft provide a nice API to EWF so if the malware author wants to, all he has to do is load the EWF dll and make a single call and he's in there forever!

Even if the malware isn't flushed there's nothing to prevent you picking it up again next boot.

Yes, its annoying

[QuantumG]

But I fail to see how you can leverage this to gain privs.

If that's possible, then maybe that should be the subject of the article.

Re:Yes, its annoying

[QuantumG]

Umm.. yeah, and then you'll say "sure, install this program I didn't even ask to install". If that's something to be worried about then no amount of "security" is going to protect these people.

Re:Yes, its annoying

[slashqwerty]

But I fail to see how you can leverage this to gain privs.

I suppose it would be possible to populate the clipboard with corrupted contents, perhaps a string of XML that another app would try to consume. If that other app, designed strictly for desktop use, has a vulnerability in the way it processes said XML an attacker may be able to gain privileges. It's possible such an app will examine the clipboard contents just to determine if it should enable the Paste menu. Which means you could be vulnerable even though you never paste from the clipboard.

Re:Yes, its annoying

[x2A]

"no amount of "security" is going to protect these people"

Protect them? Protect us! They get their machines infected, they become latest members of bot nets, flood our mailboxes with spam, his the servers we use with ddos attacks... no we can't protect 100%, but it's in all of our best interests to try, and close off any avenues of attack that we can.

Re:Yes, its annoying

[x2A]

You can't figure out a simple solution? Like, have the banner ad companies screen for flash commands that shouldn't be needed for simple ads, like setClipboard?

Even if I don't paste the url into my browser and run whatever's on that webpage, I don't want something wiping whatever I have in the clipboard at the time... which would be why I have 'allow clipboard access' disabled in my browser javascript settings, I'd be very annoyed if sites are pushing ads that sneak around this, and if I was employing these companies to provide ads for my sites, I'd be annoyed with them for annoying my users in such a way. After all, I'm entrusting space on my pages to them. These companies should be doing better, now it's known about, they need to implement something to stop it from happening, whether people are going to the website and running stuff or not.

(And yes there's options for blocking ads, but they're paying for what I'm using. If I don't like the number of ads I don't visit the site, cuz that's the deal as I see it... content for the ads)

Re:Yes, its annoying

[jesser]

But I fail to see how you can leverage this to gain privs.

1. Every 100ms, put some evil UNIX commands on the clipboard, surrounded by line breaks. I'm sure you can come up with a one-liner that compromises a user's system.

2. Hope someone will paste into a Terminal window while your evil page is open.

I paste into Terminal windows all the time. For example, I might copy an error message and then grep another file for the message. If there's an evil web page open while I do that, the paste will own me.

Re:Yes, its annoying

[ZorbaTHut]

Some P2P clients support a "pull links directly from clipboard" feature, where they watch the clipboard for any link with the format they use and automatically download what it's pointing to.

The danger in this - both the parsing, and the downloading - is obvious. I don't believe any clients run downloaded things by default, but it's still potentially quite nasty.

Re:Yes, its annoying

[x2A]

"The thing is, there are legitimate reasons why Flash, or any other web app, may access the clipboard"

Yep, which is why I actually have the browser ask me if an attempt is made whether to allow it. But, flash adverts shouldn't mess with your clipboard, which is why I believe the banner companies should do the screening/filtering, not that flash should have the functionality removed.

Shockwave...

[azav]

I'll bet you can do it too in Shockwave with copyToClipboard. It is a little trickier though as copytoClipboard holds the reference to the Director member copied IIRC. Thinking about it, any web service that supports the clipboard should be able to do this.

How to fix this:

[MrMista_B]

http://adblockplus.org/en/

Problem solved!

Seriously, blocking ads and javascript and flash stuff is like a game for me now, I get a little thrill of victory every time I block one of those things, it's great.

Re:How to fix this:

[AceofSpades19]

You have problems....

Re:How to fix this:

[redcaboodle]

You have problems....

Surely - because with Adblock you block AFTER you have seen the Flash. So unless the Flash comes from an already blocked source (*.doubleclick.com?) it will already have done its evil magic.

Only if you block all Flash you did not specifically allow you are clear. NoScript should work, then.

And some of us have to develop in Flash (stupid designer - stupid clients) so NoScript is out of the question.

Re:How to fix this:

[AceofSpades19]

You have to develop flash?, I feel sorry for you

Re:How to fix this:

[tlhIngan]

http://adblockplus.org/en/

Problem solved!

Seriously, blocking ads and javascript and flash stuff is like a game for me now, I get a little thrill of victory every time I block one of those things, it's great.

May I suggest a solution that's better, and doesn't leech?

Try NoScript - http://noscript.net/

It doesn't leech since static banner ads load up just fine, but NoScript blocks flash, java, and other plug-ins (PDF, etc) by default. It also disables javascript on a per-domain basis (plus detects and blocks XSS attacks).

And yet, if you want to see that YouTube video, just click the placeholder, and it'll ask if you really want to load whatever it is. For Javascript, click the icon and you can enable and disable the various scripts that may exist on a page (many across many domains). Nothing more fun than allowing javascript from the primary site, but disable javascript that loads ads and other junk.

Plus, having javascript off by default makes the web go much faster. It can always be re-enabled later on, leaving horrible CPU-wasting scripts from even running.

Me personally, I run a combination of FlashBlock + NoScript. This has a wierd effect as NoScript blocks the flash, click it, and then FlashBlock blocks it, then sometimes NoScript blocks it again. Sometimes a hassle, but saves me from inadvertent clicks.

The only XSS at times I find annoying is when purchasing from sites that use Paypal. But that's simply a click, then "Unsafe Reload" (reload the page with XSS), which fixes it.

It's amazing how many sites work great with NoScript, and how many sites are so poorly coded they need javascript to handle a hyperlink.

Re:How to fix this:

[swb]

I second this, but I would only permanently whitelist sites you absolutely need to out of convenience or trust; everything else I temporarily whitelist on an as-needed basis, and I find that unless I'm shopping or something there are number of sites I don't need javscript to run for basic use. I figure with SQL injection attacks and other random maliciousness, even "trusted" web sites can be compromised and this keeps my exposure to a minimum.

The only feature I wish it had, though, was some kind of per-tab or per-site whitelist inheritance. Some sites, like Newegg, use Akamai for shopping cart processing. Allowing Newegg doesn't in turn allow URLs for Akamai, which I understand, but it means I have to wait until the checkout blows up, THEN temporarily allow Akamai to finish a purchase.

If there was some other way to "Temporarily allow all referred linked from foo.com" or "Allow all as long as address bar is foo.com" or something that would allow other sites' javascript to run, so long as I "stayed" on the page I was on.

Lame results with Linux

[keeboo]

Well I accessed the page under Linux and Firefox 2 and the following things happened:

The middle mouse button pastes as usual.
The hijacked content only appeared with CTRL-V.

All I need to do is to close the page tab and it's gone.

Disappointing.

Re:Lame results with Linux

[marxmarv]

I think that's an X11 anachronism you're dealing with there. No idea why it still exists in 2008.

Re:Lame results with Linux

[WK2]

The way I see it, having multiple clipboards, and multiple ways to write to and from the clipboard, are separate issues. I can see the reason behind multiple access points to the clipboard, but having multiple, unrelated clipboards is somewhat of an annoyance.

And there is another issue. Try opening an editor, or browser. Write some text, and copy that text to the clipboard. Now exit the editor. Your data in the clipboard is lost. This has tripped me up many times, and I would really like to fix it. It doesn't have to be that way, too. I can copy stuff with xclip, which exits immediately, but that info remains in the clipboard.

Not affected it seems ...

[YeeHaW_Jelte]

... on this old system with SuSE 9.1, FF 2.0.014, flash 7.

Hoorah for lazy upgrading ;)

Re:It may not be this

[riceboy50]

If you are using FF3 and beta Firebug, then you are probably seeing the DOM corruption bug that I see when ads are inserting into the DOM. The symptom is that the whole page disappears except for that ad. I've seen this behavior on several sites, including /. I haven't figured out a remedy yet except to disable Firebug, and we all know that's not going to happen!

Re:Hard to remove?

[INeededALogin]

I closed the demo window

The average user is not going to know that they have been hijacked and they won't necessarily know which window is doing it. The clipboard hijacker could even wait until you copy a url before modifying it.

Confirmed in Opera 9.25

[Rockoon]

I realize its probably not the latest version of Opera...

evil

[duckInferno]

Just further proof that Adobe Flash is evil.

Opposite experience

[Anpheus]

I enabled the object in Firefox 3.0.1 with NoScript 1.7.8, Flash version is 9.0r124, and yes, it did set my clipboard.

Re:Opposite experience

[Derek+Pomery]

Apologies - indeed whitelisting the flash was all that was needed.
I had used the X paste buffer (middle click) first time around.
Retested.
Worked.

Re:Opposite experience

[infonography]

That domain now points to Whitehouse.gov

Re:Opposite experience

[X0563511]

Unless you randomly paste links that you can't remember copying, visiting them, and then deciding to install the advertised antivirus software... I would consider this attack vector to be pretty benign. Darwin for the internet, if you will.

Re:What about Opera?

[hellwig]

Tried with Opera 9.51 on gOs/Ubuntu 7.10 and it did copy the url to my clipboard which I was unable to replace (with ctrl+c) until I closed the tab. After closure, I regained control of my clipboard.

I tried using a user javascript file that would block all flash content and allow me to individually activate the various flash files, but I had problems with things like YouTube, and eventually I abandoned it when certain websites I frequented used Flash for the most obsurd reasons (don't remember which, this was over a year ago). Might be worthwhile to bring it back.

iPhone

Now we know why the iPhone has no copy/paste support. It's a security issue!

Whew.

[rascher]

Its about time they start making software that runs on Linux too.

Re:Clicked on the flash area in NoScript in the de

[unlametheweak]

These days you have to go out of your way to avoid flash by learning about and installing less popular Web browsers like Firefox and installing extensions (Add-ons) like NoScript that you have to educate yourself about. These days even browsers like Firefox come pre-installed with crapware and bloatware like Microsoft DRM and Shockwave Flash. These things I have manually disabled.

I often hear people on Slashdot claiming that Flash is safe, but I also constantly hear about flash-based exploits as well. To most Slashdot users I would think Flash would be relatively safe, however most people are not Slashdot users.

The Internet is becoming less accessible to me as the years go by. There is no need for Flash or Java or JavaScript (to navigate to a URL for example). I can only perceive malicious reasons why Web developers would try to force people to use these technologies.

When a Web site says Flash, JavaScript, Silverlight, Internet Explorer or anything else is required then that Website is never again visited. One must separate the wheat from the chaff.

Just a loop

[Twillerror]

Okay so the flash ad just copies something to the clipboard in a loop. Closing the tab or browser stops this. I suppose if you are running your browser in the background this would be very annoying and you wouldn't know.

Today firefox and IE prompt if you want to use the clipboard from javascript, but it used to not be this way. I'm sure Adobe will patch this soon enough.

This is like old popups...and oversight that is being exploited by the annoying "internet bully". It's like getting a wet willing or you head stuffed in a toilet.

The issue is here that both Flash and the underlying operating system don't have any kind of cut and paste protection. X, Mac OS X, and XP/Vista should not allow a program to copy and paste the same dam string to the clipboard over and over. Really kind of annoying that we have to spend so many human hours fixing "problems" like this...but such is life I suppose.

Flashblock doesn't work here

I am visiting the test site using Firefox with Flashblock on Ubuntu 8.04. I press Ctrl+V, and there it is, http://www.evil.com.

This only happens sporadically, though, and I can always just Ctrl+C something else. I believe this is because Flashblock blocks ads as they are loaded, not before they load (not 100% sure about this).

Does anybody else have this issue?

Secure Linux Clipboards

[Doc+Ruby]

So now it seems that Linux's nonintegrated multiple clipboards and their UIs (Ctrl-c, and select/middle-click) are a security feature, not a bug.

Re:Clicked on the flash area in NoScript in the de

[Hurricane78]

> When a Web site says Flash, JavaScript, Silverlight, Internet Explorer or anything else is required then that Website is never again visited. One must separate the wheat from the chaff.

This maybe is true, except if you want to do a real web application. Loading a whole HTML-page, just to change some state of an (non-form-element) interface element... That's insanity.
You've done the same that someone in a trauma does. You're created false associations. It's not the technology or even the virtual machine that's bad. It's the implementation.
Your argument is the same, as if someone who had only bad experiences with x86, while having good ones with his old 86000s, argues that "if an application requires x86, then that application is never again used."
The same is true for OSes. Someone could implement Windows XP in a proper manner, and make it a very safe system. (I did not say that someone would want, tough ;)

Or in short:
Someone can crack a bad JavaScript VM and contaminate the rest of the system. And someone could crack a bad OS, and contaminate the rest of the system. There are even examples for this on virtualization VMs. (Heck, the system's clipboard is accessible to all 3 of them, on modern VMs!)

So my vote goes for Replacing the JavaScript VM with a hardened generic VM, with a fixed interface to the outside world, and adding JavaScript, Python, Ruby, Haskel, Ocaml and more as languages to it (via add-ons, or pre-compiled?)

Okay, I think one should remove at least one layer of abstraction/VM and harden the OS so that even OpenGL on JavaScript would not have a performance loss. (Yes, this would be useful. Eg. for quick dynamic data visualization or entertainment applications.)

And my wife said it was porn!

[wmbetts]

I got hit with this last night and it was a bitch trying to figure out what it was. I literally spent hours trying to find what had hijacked my computer. I finally said screw it and reinstalled Linux, because the only game I play regularly can be loaded in Wine.

NoScript sounds like something that you need.

[falconwolf]

I used to have ZoneAlarm as well. IMHO it is much better at configuring things like JavaScript access, etc. It has a very intuitive interface and is easily customizable.

Yea, I loved how ZoneAlarm was configurable. I had it set by default to block all Java, objects, and scripts then when I came across a website I wanted to allow them I could quickly configure it. If I wanted to, and I did a number of tymes, I could temporarily let a website use them. How well do NoScript and Flashblock work though in Firefox 2.0.0.6? That's what I'm using. I could upgrade to Firefox 3 but I wonder if I can still use my current version.

Falcon

Re:Clicked on the flash area in NoScript in the de

[Daengbo]

I just use SWFDec. It avoids the Flash problem by failing to play about 50% of the stuff out there.

The demo hijack page doesn't work, either. Surprise!

Just kidding. I like SWFDec much better than Flash + nspluginwrapper on my 64-bit Lenny.

Same Ol' Same Ol'

[MightyMartian]

Once again we see the serious consequences of allowing a single company to serve a proprietary solution which opens up browsers and the platforms they run on to serious security flaws. This is ActiveX Part Deux, or perhaps Son of ActiveX.

To some extent I blame the guys writing the browsers. They're the ones letting plugins and extensions to have this much control over clipboards. The solution here is obvious, though Adobe may not like it, but at this point I think Adobe's concerns shouldn't even enter the equation.

Re:Clicked on the flash area in NoScript in the de

[negRo_slim]

I often hear people on Slashdot claiming that Flash is safe

Well sir you must view /. at a much lower threshold then I do!

Re:Go tell Adobe

[MightyMartian]

After a decade of horrors visited upon the world by Internet Explorer, you'd think everyone would view such a large proportion of content being delivered via a proprietary format and software (one, mind you, that renders via software and doesn't even have a functioning 64 bit version) as so incredibly dangerous and foolish as to dismiss it.

If just as much effort were put into a better streamlined and functional Javascript/ECMAscript interpreter based on open specs as is being put into reverse engineering Flash and now trying to figure out ways to secure it, we wouldn't even need the goddamn thing to begin with. There are better scripting engines than flash, there are better video formats than Flash, so why the fuck is so much attention paid to something that's so inherently flawed?

Re:It may not be this

[riceboy50]

Yeah, I know. I saw that they released an update today, which I'm not sure if it addresses the issue or not, but it was happening to me if the extension was enabled at all—regardless of whether I had the panels enabled or not.

Re:Hard to remove?

[budgenator]

you can in KDE just open k;ipper, In windows I'd imagine I'd open wordpad and ctrl-v to see what was there.

Re:Clicked on the flash area in NoScript in the de

[jacquesm]

Worked here as well. One more point against flash, what on *earth* were they thinking when they put that 'feature' in there ?

Re:Hard to remove?

[muffen]

... yea, or you can RTFA and reach the following conclusion.

Demo:
(BEWARE: If you click on the demo link, your clipboard is automatically hijacked and will only be released if the browser window is closed).

Exploit:
From TFA
My clipboard has been hijacked with this:
[ malicious URL deleted ]
And once it's in the clipboard, I can't copy anything else over it until I've restarted the machine.

So basically, real exploit != demo exploit.

Re:Clicked on the flash area in NoScript in the de

[bogado]

Yes flash block do have a list of allowed site, and it alone can stop the attack.

Re:Clicked on the flash area in NoScript in the de

[Phydaux]

I can only perceive malicious reasons why Web developers would try to force people to use these technologies.

Never assume malice when stupidity will suffice.

Re:Hard to remove?

[Chris+Pimlott]

Congrats. Now imagine that you don't know which window of a dozen well-known webpages has the malicious ad hidden in it.

Re:Clicked on the flash area in NoScript in the de

[Serious+Callers+Only]

Well, there's also video cam support - it is supposed to ask your permission first, but perhaps there are unexplored features/vulnerabilities in it too :

http://www.macromedia.com/support/documentation/en/flashplayer/help/help04.html#117089

If I was a hacker^^^^^^security researcher, I'd be looking there first.

One of the reasons why I surf with Flash off.

Re:Clicked on the flash area in NoScript in the de

[stewbacca]

As with everything in life, you have to find the happy medium. Flash has legitimate purposes (repid e-learning development and delivery, for example) that far outweigh the risks of clicking on a rogue advert. Do I want to disable Flash to feel "safe" and prevent unpleasantries, such as flashing/blinking/buy-me ads at the cost of not being able to conduct the mandatory training module I have to complete for work?

Re:Clicked on the flash area in NoScript in the de

[bogado]

Why you have to do it, why this is not the default? The problem is that you started with a faulty concept and then to fix without breaking every other application is hard.

As I said before, I know MS is trying hard to fix this, but that was not my point, I was only pointing out that concepts can be broken independently of their implementation.