IE Clipboard Exploit

[spy1]

From the article on this page: http://www.securitynewsportal.com/index.shtml
"Windows users were warned over the weekend of an exploit in Microsoft's Internet Explorer browser that lets any website copy the contents of the Windows clipboard without the user knowing. Popular Windows site NTFS highlighted the exploit, which has been known about for some time, but which is still not widely known amongst users. "I often copy and paste passwords," said one reader on finding out about it. As the number of passwords that people have to keep track of increases, many resort to quick and easy methods of remembering and entering them, and cutting and pasting from a document is not uncommon. A recent survey found that the average IT user now has 21 passwords, with some heavy users having to keep track of as many as 70. Forty-nine percent write their passwords down, or store them in a file on their PC.
A web page with a simple piece of code can use the Internet Explorer exploit to monitor the contents of the clipboard, and send them to a remote server-side script for processing. The remote script is then able save the clipboard text in a database, or email it to an arbitrary address. "The biggest threat is if you copy your internet banking security code or password to your clipboard, then go surfing," said NTFS. "You may even copy your credit card number when buying online, so it is easier to fill in the details, (and then) you may then go to a site that harvests your clipboard information." This latest warning comes hot on the heels of several new IE security bugs, and as Microsoft's browser continues to increase in poularity, now commanding more than 52 per cent of the market.
Users can protect themselves from the exploit by clicking on Tools in the Internet Explorer toolbar, then selecting Internet Options / Security / Custom Level, scrolling to Scripting and disabling "Allow past operations via script". "
__________________________________________________
__
__________________________________________________
__
(From Pete)
An example of the exploit can be found
here: http://www.ntfs.org/tmp/clip.html , and it might do you well to bookmark it for future reference.
Browser upgrades and/or Windows Update 'patches' or 'fixes' can (and have) resulted in the changing of preferences of browser settings on an individual's computer.
Likewise, the vulnerability can be re-instated remotely, given enough savvy on the part of an attacker. (Please read the GreyMagic Advisory: http://sec.greymagic.com/adv/gm007-ie/ ).
If what I'm reading there is correct, then it would also behoove us all to go into Tools/Internet Options/ click on the "Content" tab, and (under the "Certificates" heading) click on "Publishers" and find any M$ entries the "Authenticode(tm) Security Technology" screen may contain and delete them (they'll be there if you've ever clicked on anything that's asked you to "Always trust content from..." and you accepted - checkmarked - that).
Actually, it's kind of wise to check that particular area on a regular basis, anyway - especially if you're sharing the computer with others (family members or co-workers).
If anyone still remembers, a lot of people were totally unable to clear themselves of Comet Cursor re-infections due to the fact that someone had clicked on "Always trust content from Comet Systems" on their computer, thus defeating their every attempt to prevent re-infection.
(Note: I have absolutely no entries on that screen and that's the way I keep it - "silent" downloads of/by anything with permissions in that area can bypass numerous defenses set up to stop them and be absolute hell to figure out). Pete

[Harry Crab]

Solution:

Tools - Internet Options - Security - Internet Zone - Custom Level - Scripting - Diable "Allow Paste Operations Via Script".

[spy1]

Hello, Harry!

Yes, the "solution" you posted (which was also at the bottom of the article I printed above) is good as far as it goes.

This however, was the quote from the GreyMagic article which is what brought on the rest of my post:
"Microsoft has released a patch for these issues, however, the "Kill Bit" was not set for the vulnerable OWC version. This means that an attacker can easily reintroduce the old OWC, properly signed by Microsoft, and gain complete access to the vulnerabilities we found. And unlike Microsoft claims, it's not that easy to notice it install itself, an attacker can open an off-screen window that will silently install OWC without the user knowing.
This is a fundamental problem in the patch and it renders it quite useless for users who set their IE to trust content from Microsoft or users that tend to click "Yes" when they see controls signed by Microsoft."

Hope that clarifies for you what I was getting at. Pete

[Harry Crab]

I must plead guilty, Pete, to not having read the article properly

(Having now read it fully) I find this a tad puzzling:-

Quote:

And unlike Microsoft claims, it's not that easy to notice it install itself, an attacker can open an off-screen window that will silently install OWC without the user knowing.

How? Would this not require user permission?

[spy1]

Well, no.

That's what the next sentence explains and what I tried to bring out - once you've ever clicked on an agreement window to "Always trust content from (in this case) Microsoft" no further warnings will need to be given - you've just by-passed them by giving the attacker who has the proper M$ credentials his way in.

That's why I suggested keeping that link handy, so you could self-test with a click (although reviewing your browser settings on a frequent basis would probably do just as well) - and why I suggested you go into the area in Internet Options that I pointed out above and clear it out.

Is this beginning to make sense now? Pete

[Harry Crab]

Quote:

Is this beginning to make sense now?

Well, yes (far too much eggnog consumed this Christmas, I'm afraid - the auld brain is addled!).