Forum latest

Explorer vulnerability exposes clipboard info
Written by Gizmo   
Friday, 24 February 2006 07:06

It's debatable how much of a security issue this really is, as it has been around for quite some time.  However, the Inquirer is reporting here about a vulnerability in IE that allows clipboard data to be sniffed by malicious scripts.  This means that when you use copy-n-paste to take your password from your password file and paste it into a form, it is possible for a bad guy to usurp the contents of your clipboard and send them somewhere not of your choosing.  This fix for this is relatively simple and has been known for something on the order of 4 years: Go to Tools > Internet Options > Security > Select a security zone > Custom Level > Scripting > Allow paste operations via script. You can set this to Enable (the default for the internet zone), Disable (default for restricted sites) or Prompt. It is recommend you set it to prompt - scripts can still have clipboard access, but only when you say so.

What may not be so widely known is that, even with this change, it is still possible for a script to gain access to the clipboard data without the user's knowledge, by installing a bunged copy of the Office Web Components ActiveX control.  It seems that there was a vulnerability in the OWC control that allowed scripts to bypass certain restrictions in IE.  This vulnerability in the ActiveX control was addressed by MS02-044, but the 'kill bit' which would prevent the control from being used by IE was never set.  This means that the old control is still considered valid, and a bad guy could re-introduce this control to a patched system, thus regaining the ability to not only access the clipboard, but even to run arbitrary code on the target system.  This is particularly bad because the control is signed by MS, the signature is still valid, and MS is considered to be a trusted publisher on most computer systems out there.  MS's stance on this is that they can't change the 'kill bit' without breaking a whole bunch of web pages out there, and besides, since the control is 7 MB big, it is unlikely that the bad guys could get the vulnerable control onto your system without you knowing about it anyway.

About the only thing you can do to protect yourself from this is to remove MS from your trusted publishers list, so that if some bad guy should try to put the bunged control back on your system, you will be alerted and prompted as to whether you want to install it or not.  Information on how to do this is contained in the security advisory from MS (they actually recommend emptying the trusted publishers list entirely, so that no ActiveX control can be installed on your system without your permission, and that isn't a bad idea).

To empty the trusted publishers list: 

  1. In Internet Explorer, choose Tools, then Internet Options
  2. Select the Content tab. In the Certificates section of the page, click on Publishers.
  3. In the Certificates dialog, click on the Trusted Publishers tab.
  4. For each certificate in the list, click on the certificate and then select Remove. Confirm that you want to remove the entry.
  5. When you've removed all entries from the list, select Close to close the Certificates dialog, then click on OK to close the Internet Options dialog.

Got any thoughts about this?  Share them in the forums!

Don't Click Here Don't Click Here Either