Can Adobe mitigate 'clipboard hijack' issue?

Can Adobe mitigate 'clipboard hijack' issue?

Summary: Adobe's product security incident response team (PSIRT) says it is investigating possible solutions to the clipboard hijack attacks spotted on Flash-based advertisements on high-profile Web sites.A barebones note on the PSIRT blog simply acknowledges the issue and promised more information after the investigation but, by mentioning "possible solutions," it is clear that that Adobe is looking for ways to mitigate the threat.

SHARE:

Adobe investigating clipboard hijack attackAdobe's product security incident response team (PSIRT) says it is investigating possible solutions to the clipboard hijack attacks spotted on Flash-based advertisements on high-profile Web sites.

A barebones note on the PSIRT blog simply acknowledges the issue and promised more information after the investigation but, by mentioning "possible solutions," it is clear that that Adobe is looking for ways to mitigate the threat.

Here's an interesting bit from the Flash documentation:

  • The System.setClipboard() method allows a SWF file to replace the contents of the clipboard with a plain-text string of characters. This poses no security risk. To protect against the risk posed by passwords and other sensitive data being cut or copied to clipboards, there is no corresponding "getClipboard" (read) method.

[ SEE: Adobe Flash ads launching clipboard hijack attack ]

I'm not entirely sure why a SWF file would need the ability to write to the clipboard but, now that we know it does present a security risk (see harmless clipboard-takeover demo), Adobe might want to nuke that functionality altogether or at least rewrite the documentation to discuss this threat.

Or, the company can put up a roadblock/warning mechanism whenever a Flash file tries to use the System.setClipboard() method.

[ SEE: Adobe: Beware of fake Flash downloads ]

Adobe already does this when a SWF file attempts to access a user's camera or microphone using the Camera.get() or Microphone.get() methods -- via a Privacy dialog box, in which the user can allow or deny access to their camera and microphone:

Can Adobe mitigate ‘clipboard hijack’ issue?

While Adobe works on a fix (they should, at the very least, provide a warning screen!), end users should start looking for mitigations elsewhere.  I'd start with Firefox and NoScript, a combination that blocks this attack by default.

* Image source: annia316's Flickr photostream (Creative Commons 2.0)

Topics: Security, Enterprise Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • wrong on noscript

    Firefox and noscript don't block this. It's not a script problem.
    larry@...
    • Re: wrong on noscript

      Firefox and NoScript do block this and more.
      NoScript blocks by default not just JavaScript, but also Flash, Silverlight Java and any other active content on untrusted sites. Flash & Co. can be optionally blocked on trusted sites too, and activated on demand by clicking on placeholders.

      See http://noscript.net/features#contentblocking

      (disclaimer: I'm NoScript's author)
      Giorgio Maone
      • noscript for ie?

        Giorgio - You Rule!

        Too bad it can't be an add-on for internet exploder. My users could really use it!
        ridingthewind
      • wrong on wrong on noscript

        yes, i apologize. I was passing on a false report elsewhere which has also been corrected.

        Personally, I don't think surfing with noscript is practical, but I don't want to misinform about it.
        larry@...
        • Not practical??

          How impractical is perusing the internet quicker (no unwanted content taking bandwidth) and safer? A mere click of the mouse allows the user to allow each or all elements on the page be loaded. The benefits outweigh the potential inconvenience(?) by far.
          aussiedawg
  • RE: Can Adobe mitigate 'clipboard hijack' issue?

    If you use firefox, the flashblock plugin allows you to select which flash movies on a specific site you want to load. So you can ignore flash adverts, but load actual movies that you want to watch. you can also setup trusted sites to run all flash content.
    Scott Larson
    • FlashBlock is not reliable for security

      http://hackademix.net/2008/06/08/block-rick/

      http://it.slashdot.org/comments.pl?sid=650965&cid=24668223
      Giorgio Maone
  • RE: Can Adobe mitigate 'clipboard hijack' issue?

    I Verified that the attack still works even if flashblock is installed and enabled., Thank you.
    Scott Larson
  • RE: Can Adobe mitigate 'clipboard hijack' issue?

    Just a FYI. Flashblock does not prevent this attack from happening.
    Scott Larson
  • A Manual Fix (Firefox Only)

    All you have to do is go to Tools>Add-ons>Plugins, scroll down until you see "Shockwave Flash" (I don't know why it's stil called Shockwave, but that is what it is labeled), then click the "Disable" button once, and immediatly click "Enable" again. Close the add ons window you are done. Note the value will still be in the clipboard, but if you go to copy/cut something else you will now be able to.

    ~Oorang
    http://oorang.webs.com
    Oorang