Network News

X My Profile
View More Activity

Clipboard Data Theft Optional In IE 7

A little known secret about Microsoft's Internet Explorer Web browser is the long-standing feature that lets Web sites silently read data stored in the Windows "clipboard" -- the storage space that serves as a semi-temporary repository for any text the user has recently cut-and-pasted or copied in virtually any Windows program.

Apparently, Microsoft has finally changed that feature with IE 7. The newest version of the browser throws up a prompt asking users whether they really want to share the contents of their clipboard (should they stumble upon a site that tries to filch it).

Are you still using IE 6 and want to see how the clipboard feature works? Visit this harmless proof-of-concept site with IE 6 after you use a Windows program to copy and paste some text or numbers (even though it's a harmless example page, maybe it's best not to copy that Quicken data you were just entering).

As the site explains, data copied to the Windows clipboard stays there until it is replaced by more cut-and-pasted data, and/or when you log out of your machine or turn it off. It's probably worth mentioning that alternative Web browsers such as Firefox and Opera do not allow Windows clipboard data-stealing.

By Brian Krebs  |  December 21, 2006; 11:07 AM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: New Firefox Version Fixes 8 Security Holes
Next: Grim 2007 Cyber Forecast (and a Nod to Late Pres. Ford)

Comments

Another prime example of why people should be using anything but IE to surf the web. If they are finally (two years too late) admitting to this flaw in the design, then how many more problems are they hiding?

Posted by: TC | December 21, 2006 11:39 AM | Report abuse

Ah...was this intended as a feature, or a programming oversight? There were a lot of reasons that I switched to Firefox from IE two years ago and stuff like this makes me really glad that I did.

Posted by: Lester Burnham | December 21, 2006 11:48 AM | Report abuse

It appears this "bug" is a setting in IE7:

>Tools >InternetOptions >Security >CustomLevel >Scripting >(Set)Allow Programmatic Clipboard Access (...to Disable)

...works for me, anyway.

.

Posted by: J. Warren | December 21, 2006 12:01 PM | Report abuse

Cool - I visited the proof-of-concept web site with IE7, and did indeed get the posted warning message from IE.

IMHO, regardless of what people use as their default browser, they should get IE6 off of their systems, but upgrading to IE7.

Posted by: JohnJ | December 21, 2006 12:06 PM | Report abuse

Here I thought I was so smart cutting and pasting passwords and ID's from a password safe. Thank you Microsoft.

Posted by: Bud | December 21, 2006 12:55 PM | Report abuse

Since IE6 is not the only malware that might gain access to your clipboard, try this password safe --

http://keepass.sourceforge.net/ --
which provides an option to clear the clipboard after a user-specified number of seconds, as well as the "enhanced mode" that "allows pasting only once and protects against clipboard spies."

Posted by: Charlie | December 21, 2006 1:55 PM | Report abuse

@Bud

Good point! A good question then is 'what the F did they think anyone would want this for'.

Posted by: Rick | December 21, 2006 2:11 PM | Report abuse

A simple solution for IE6, particularly for businesses, would be to have a home page on the local drive that would display the current contents of the clipboard and a nonsense phrase that can replace it.

Unfortunately, I don't know how to accomplish this.

Posted by: db | December 21, 2006 2:18 PM | Report abuse

It might be redundant, and you can read it between the lines in Charlie's post, and certainly most of the time data stays on the clipboard until someone does something about it, but it is possible to clear the clipboard without putting anything more on it - in fact most clipboard ops start with this call.

http://msdn2.microsoft.com/en-us/library/ms649037.aspx

Posted by: Rick | December 21, 2006 2:18 PM | Report abuse

Thanks for the link, Charlie. Does anyone know why this is a "feature"? Why I would want a someone nicking my clipboard data? Is this a MS joke? Are most of the MS security flaws intentional? Am I paranoid or just p*ssed.

Posted by: Bud | December 21, 2006 2:19 PM | Report abuse

@db

If you interfere with the clipboard you're interfering with the way apps work both internally and together. You're interfering with ordinary cut and paste in text editors, with file names used in a copy or move operation, etc.

The solution is to not use any app that's going to query the clipboard and then send it to remote unidentified entities just because they ask politely.

Posted by: Rick | December 21, 2006 2:21 PM | Report abuse

Like, holy crap, how many years has this been going on, and I'm just finding out about this "feature" now? As a Mac user, even I'm on a Windows machine now and again, and Microsoft built this into IE6 as a "feature?" Unbelievable. And now I have the "option" to disable it in IE7? What the heck is that?

I wonder what corporate America is going to think about this when they get wind of it. What other "features" don't we know about? How can anyone NOT be outraged at this? How can Microsoftees think this is only one more "feature" they have to work around instead of asking "What was this doing in my system in the first place?" I don't get it. or maybe I'm missing something.

It's the Stockholm Syndrome, for sure.

**After your identity has been stolen, your bank accounts compromised, 53 critical patches and 27 reboots later, when will you decide that you've had enough?

Posted by: WhitIV | December 21, 2006 2:58 PM | Report abuse

As a developer of clipboard software for 16 years, I'm amazed that this feature exists at all. There's no useful/beneficial use for this thing. My favorite quote applies here:

"Programs should not transfer data into our out of the clipboard without an explicit instruction from the user."
-- Charles Petzold, Programming Windows 3.1, Microsoft Press, 1992

This and other clipboard mistakes documented at my site:
http://www.thornsoft.com/developer_commonmistakes.htm

Posted by: Chris Thornton | December 21, 2006 3:23 PM | Report abuse

I'm going to guess that this feature was part of their "integrate IE into Windows" idea. I suppose the idea was to turn Notepad into a "specialized web page" like most message boards. In which case, having a program access the clipboard from IE makes perfect sense.

Posted by: tallbear | December 21, 2006 3:53 PM | Report abuse

For those of you admins who want to disable this via GPO:

http://msdn2.microsoft.com/en-us/library/aa701121.aspx

Posted by: IT Admin | December 21, 2006 4:15 PM | Report abuse

Having only come recently to a new hearty computer, I have been in the habit of "clearing" the clipboard after most cut and paste operations by Ctrl+C a single letter. Supposedly, I was saving memory on a machine with little of it. (Please don't laugh at me.)

Of course, in my case, as far as IE went/goes, it made/makes little difference because I refuse to use it, except with one darn work related site that only works with IE.

Posted by: Rosie Win | December 21, 2006 4:29 PM | Report abuse

WOW! This is new news. The clipboard is open to the whole world wide web through IE? Damn I wonder how many corporate security officers know about this. They'll go ape for sure.

I mean imagine en entire Power Point presentation of next year's company plan sitting on the clipboard to be read by anybody out there. MS Office users if they know nothing else know how easy it is to cut and paste.

WOW!

Posted by: Tom | December 21, 2006 4:37 PM | Report abuse

One more gripe, the damn IE 7 move the menus and toolbar buttons all over the place. It's such a waste of time to have to hunt for these every time you need to access them.

Fix it Mr. Gates.

Posted by: Tom | December 21, 2006 4:45 PM | Report abuse

The clipboard bug is such an embarrassing security oversight that Microsoft added it as a tweakable option in IE7 simply to pretend like it's been a feature all along (my hunch, anyway).

Posted by: Ken F. | December 21, 2006 5:01 PM | Report abuse

This could be good news for Firefox users, too. Firefox users who have Flash installed are also vulnerable because the Flash developers made different security decisions from the Firefox developers. Now that Microsoft has seen the light, it will be harder for the Flash people to argue that it isn't a security hole, and they'll be forced to fix it.

But since I'm familiar with some of Flash's other UI, I worry that instead of getting rid of the misfeature, they'll implement a dialog that's vulnerable to attacks like the ones described at http://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs :(

Posted by: Jesse Ruderman | December 21, 2006 5:09 PM | Report abuse

I too switched 2 years ago from IE to Firefox, for the very same reasons everybody did it,and everything went smoothly up to FF 1.5.
After having installed FF 2.0 two weird
things happened : I could no longer scroll
and "Calling ID" wasn't accepted by the program.
Of course somebody else noticed these restrictions.

Being "encouraged" to comment, I have done it. Now what happens ? Will I receive from readers or from Mr. Krebs some Kind
of support ?

oldboy

Posted by: oldboy | December 21, 2006 6:10 PM | Report abuse

To all readers:

It is a violation of the blog policy of Washingtonpost.com to leave comments that impersonate anyone, but most especially the author of this blog. Violating that policy is the surest way to have your comments deleted and to be barred from leaving them on this blog going forward.

Thanks for your cooperation.

Posted by: Bk | December 21, 2006 7:23 PM | Report abuse

Firefox users with the IE-Tab Extension/Add-on installed are still vulnerable, even if the IE engine being used is version 7. You still get no warning when clipboard info is grabbed.

Posted by: My other brother Darryl | December 21, 2006 7:52 PM | Report abuse

I was just going to say that the IE engine doesn't prompt you if you use the IE-Tab extension in Firefox but then I spotted the above post.

Does this mean that **any** embedded IE browser will remain vulnerable? To me it looks like it might be the situation. The problem is that there are so many applications that embed the IE browser (for example, Windows Explorer, Outlook, Windows Help, etc.). If this is the case then this means that all of these applications must implement their own support for this security issue (and possibly others)! If so, Microsoft's implementation is pure rubbish.

Posted by: Andreas | December 21, 2006 11:17 PM | Report abuse

oldboy> Now what happens ? Will I receive from readers or from Mr. Krebs some Kind of support ?

Have you tried searching the Mozilla bug database?

https://bugzilla.mozilla.org/query.cgi

There's also a lot of stuff here:

http://www.mozilla.org/support/

Posted by: antibozo | December 21, 2006 11:41 PM | Report abuse

Wow, this is impressive. I mean, really. Sure, so I switched to 'Fox ages ago for a whole host of reasons, which any veteran IE user will know and appreciate, but I'm still forced to use IE on occasion. Gotta admit this is one thing I never knew about.

I wonder what other fun flaws/bugs/features will be uncovered in future. And does anyone know if MS decided to own up and post an apology, or even, in an ideal world, an apology with reasons it wasn't fixed earlier? =P

Good stuff.

Posted by: Shai | December 22, 2006 8:30 AM | Report abuse

Want to know why this "feature" exists? Lazy Programmers. Having been in development for many years, I know of a number of older applications that use the clipboard for interprocess communications. At one point it was necessary, then came DDE and real IPC using pipes. However, I still know stupid web developers that instead of creating a proper application using IPC pipes, they will get lazy and use "shortcuts", like sharing data using the clipboard. Is this Microsoft's fault, partly yes, for bowing to the whims of stupid, lazy developers.

Nuff said.

Posted by: LazyProgrammers | December 22, 2006 10:54 AM | Report abuse

Jesse Ruderman, in comments above, wondered about Adobe Flash Player. I didn't see mention of Flash in his link, but I'm guessing the concern is "Can Adobe Flash Player also read your clipboard?"

If so, then the answer is "no" -- no version of Adobe Flash Player can read your clipboard -- later Player versions can write to your clipboard, but the security implications of reading the clipboard have been explicitly acknowledged since the very first versions of the Macromedia Shockwave Player, a decade ago.
http://www.google.com/search?q=%22flash+player%22+clipboard+site%3Aadobe.com

(Jesse, in case I guessed the concern wrong, I'll open up an item at weblogs.macromedia.com/jd so we can follow up together, thanks.)


Posted by: John Dowdell | December 22, 2006 11:09 AM | Report abuse

oldboy wrote:
"After having installed FF 2.0 two weird
things happened : I could no longer scroll
and "Calling ID" wasn't accepted by the program."

It's hard to be sure without knowing a bit more, but your problem may be related to your Firefox profile. I'm assuming you are using Windows; for Win XP or 2000, the profile is in:

Documents and Settings\UserName\Application Data\Mozilla\Firefox\Profiles

where 'UserName' is your Windows user name. The profile folder will have a name that begins with 8 "random" alpha-numeric characters (such as 'i9kiu9w8.default').

You can try creating a new profile to see if it fixes the problem. First make a backup copy of your bookmarks file (bookmarks.html) and cookies file (cookies.txt) in a safe place. Then run Firefox to create a new profile by using Start/Run for the following:

firefox.exe -P

If this fixes the problem, you can restore your bookmarks and cookies by copying the backup files you made earlier to the new profile folder. For more complete info, see the Firefox Release Notes at:

http://www.mozilla.com/en-US/firefox/2.0.0.1/releasenotes

You can E-mail me if you'd like.

Rich Gibbs
richg74 AT
gmail DOT com

Posted by: Rich Gibbs | December 22, 2006 11:21 AM | Report abuse

Actually, PasswordSafe clears out your clipboard after a brief time interval.

Posted by: PasswordSafe User | December 22, 2006 5:18 PM | Report abuse

J. Warren wrote:
>>It appears this "bug" is a setting in IE7:

Good call. Just don't stop there.
http://windowssecrets.com/comp/061026#story1

db wrote:
>>A simple solution for IE6, particularly for businesses, would be to have a home page on the local drive that would display the current contents of the clipboard and a nonsense phrase that can replace it.

An even-simpler (although not necessarily easier) solution is for businesses to deploy an IE policy that disables active scripting in the Internet and Restricted Sites zones, since AFAICT businesses have very little need to permit *everyone in the world* to run unknown script code in their machines' browsers.

Posted by: Mark Odell | December 24, 2006 2:50 PM | Report abuse

Look, you dummies, I never ever 'Cut and Paste'. Easier, more visual, totally secure method is to split the screen into two sections, usually 50% each, Highlight text to be pasted, then stay clicked on the highlight and drag to required position on the other document.
1. You can't lose anything.
2. You can see what's happenning all the time.
3. you can modify and fine tune what you've done 'till it's perfect
4. No record remains on the computer for a hacker or snooper to pick up.
Try it, You'll get the hang of it very quickly.

Posted by: James Rose. Far Trust. | January 5, 2007 8:07 AM | Report abuse

HI you h'v very usefull site! thank you and yahoo for mail.

Posted by: aAlexZz | January 7, 2007 3:55 PM | Report abuse

Web Hosting Companies and Service Providers
Having the right hosting solution can make all the difference in the world.
But with thousands of web hosting companies in the market place it can
be difficult if not impossible to know which web site hosting companies truly
provide an excellent hosting solution at an excellent price. Our Web Hosting
directory includes those web hosting companies that we've hand picked based
on the overall hosting value they provide. And yes, there are many web hosting
companies that provide high quality, reliable web hosting at very inexpensive
price - we've just selected the best. To get started simply make your selection
for the links below.

[URL=http://www.bestsearch.hut2.ru/]web hosting[/URL]


Posted by: webadmin72 | January 8, 2007 5:55 PM | Report abuse

[url=http://pharmacypill.hut2.ru]link[/url][/color]

Posted by: pharmsergio | January 11, 2007 12:59 AM | Report abuse

Hi
Mac OS X software,news mobile ,games
http://spdimon.info

Bye

Posted by: GameBoyMist | January 14, 2007 5:12 AM | Report abuse

Largest Movie Collections Online. Search & Download For Free!
Film X Of Paris Hilton
Looking For News and Information on Film X? Visit Us Here
Paris Hilton Film X
Looking for Information on Film X? See this Site
[URL=http://relatedadult.net/hank/1465101062/1/?id=1189&load=1][b]Click here![/b][/URL]

Posted by: nethits | January 17, 2007 3:27 PM | Report abuse

Excellent browsing have the to

Posted by: info | January 18, 2007 5:21 AM | Report abuse

While site keep Good work

Posted by: orgorg | January 19, 2007 12:26 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company