Users warned over IE clipboard exploit
Windows users were warned over the weekend of an exploit in Microsoft's Internet Explorer browser that lets any Web site copy the contents of the Windows clipboard without the user knowing.
Popular Windows site NTFS highlighted the exploit, which has been known about for some time, but which is still not widely known amongst users. "I often copy and paste passwords," said one ZDNet UK reader on finding out about it.
As the number of passwords that people have to keep track of increases, many resort to quick and easy methods of remembering and entering them, and cutting and pasting from a document is not uncommon. A recent survey found that the average IT user now has 21 passwords, with some heavy users having to keep track of as many as 70. Forty-nine percent write their passwords down, or store them in a file on their PC.
A Web page with a simple piece of code can use the Internet Explorer exploit to monitor the contents of the clipboard, and send them to a remote server-side script for processing. The remote script is then able save the clipboard text in a database, or email it to an arbitrary address.
"The biggest threat is if you copy your Internet banking security code or password to your clipboard, then go surfing," said NTFS. "You may even copy your credit card number when buying online, so it is easier to fill in the details, (and then) you may then go to a site that harvests your clipboard information."
Users can protect themselves from the exploit by clicking on Tools in the Internet Explorer toolbar, then selecting Internet Options / Security / Custom Level, scrolling to Scripting and disabling "Allow past operations via script".
This latest warning comes hot on the heels of several new IE security bugs, and as Microsoft's browser continues to increase in poularity, now commanding more than 52 percent of the market.
Microsoft was not immediately available for comment.
Let the editors know what you think in the Mailroom.