Clipboard Data Theft Now Optional With IE7

An anonymous reader writes "It's been known for a long time that Internet Explorer will happily allow any Web site to steal data that users have recently cut-and-pasted or copied into the Windows 'clipboard' data storage area. Well, now it looks like Microsoft has finally decided that this 'feature' was probably ill-advised, according to The Washington Post's Security Fix blog. IE7 throws up a warning asking whether users really want to let a site filch their clipboard data (Firefox, Opera and most other non-IE browsers forbid this behavior by default)."

Re:not quite

[ruiner13]

I could be wrong, but I think I remember a setting in Firefox's about:config page that allows you to enable sites to access the clipboard. This may have been removed, but I think it was in there at least in FF 1.0. There is still something called clipboard.autocopy in there in FF 2.0.0.1, I don't recall if this is the same setting.

Re:not quite

[liquidpele]

Actually, I wrote an intranet site that uses this feature. For firefox, I had to use a flash hack to make it work though, so technically with a default Firefox install you can still mess with the clipboard anyway. I agree for normal internet sites there is no need though. You can also enable it through firefox advanced parameters in about:config, but I don't have the link to that information at the moment.

Re:not quite

[Thansal]

quick google tells us that clipboard.autocopy is a *nix only option that automaticly copies seleced text to the clipboard.

Only a matter of time...

[Joebert]

... before someone ignores that little "This is a Phishing site you fucking moron !" indicator & clicks "ok" for this prompt.

Yes, it's possible to disable it completely through Internet Security Settings with a setting called "Programatic Clipboard Access".

Re:not quite

[Binestar]

clipboard.autocopy is the setting to tell you if you want highlighted text to automagically be copied instead of doing it with the mouse/keyboard.

signed.applets.codebase_principal_support Gives scripts using codebase principals access advanced scripting capabilities. Basically, it allows signed applets out of the sandbox because they've promised to play nice. One of the main uses of this (according to the help page) is to allow IRC applications access to your clipboard.

http://kb.mozillazine.org/Firefox_:_FAQs_:_About:c onfig_Entries [mozillazine.org]

Re:not quite

[uncommonlygood]

Don't know about the others, but firefox definitely does implement it [mozillazine.org], it's just off by default.

example

[c00rdb]

here's a site that has a valid use for the paste part of the exploit. not sure about the retrieval part... (works on firefox too) www.2prong.com

Re:Are both ways fixed?

[lostboy2]

Not "fixed" (as in removed), but apparently you can turn it off [microsoft.com] in IE4 through IE6.

Workaround for IE6

[edraven]

Change the security setting for "Allow paste operations via script" to "Prompt". Now it'll ask you every time a script interacts with the clipboard, as near as I can tell. For example, when you're pasting text into the form on Google Maps, it'll ask you if that's okay even though it's you the user requesting the paste operation. But pasting into the Post Comment form here on slashdot does not.

This has an interesting side effect on the "harmless" exploit page mentioned in the article, though. The script on that page apparently loops continuously, so every time you answer (whether yes or no) the dialog is presented again. The dialog takes precedence over other IE controls, and as near as I can tell there's no way out short of terminating the browser.

Re:Probably?

[pclminion]

You're worried that if someone steals your laptop, they might be able to find your email address and spam you?

First of all, I said email PASSWORD, not address. Somebody could steal my laptop and read my email and send email from my account. That would require them to be able to discern the password in all the millions of bytes of swap data, but I can imagine writing a program that could scan for candidates.

If my email password happened to be equal to my main account password (as can happen due to certain policies, but thankfully not in this case), that's quite a bit more serious. It makes me wonder what else might be lurking in the swap partition. When you type a password (like say, the root password for your main file server) into an application, you're really placing all your faith in that application to dispose of that data appropriately. So yeah, I'd be worried, especially in the context of a company, where it's easy to get your hands on a laptop that doesn't belong to you.

My IE7...

[sheepoo]

...did not prompt me!

Re:Features vs. Security

[a.d.trick]

Microsoft (and other software companies, but MS gets the most attention for it) spent years working under the paradigm where making things more convenient and/or more powerful for the user was the most important thing you could do to get people to use and buy your product.

I think it's more acurate to say "appear convenient and powerful". There's nothing convient or powerful about data lost or computers infected with worms and trojans.

Re:not quite

[AchiIIe]

Keep in mind, this is an Ajax app, the "GUI" does not know about the internal schema that google spreadsheets uses. I'm not talking about just copying some text, when using spreadsheets you may want to copy a whole row, or a table - formulas formatting & all the works so you can paste it in excel/openoffice/gnumeric In this case you Have to give access the the javascript application so that it can construct the correct representation and place it in the clipboard.

Re:not quite

[master_p]

But copy-paste works locally. When you copy-paste data between your documents, even on the web, javascript puts the data on the local clipboard. Remote apps should not be able to steel data from the local clipboard.

Re:example

[fbjon]

That site works in Opera too, incidentally, but it's not an example of the security hole. It can only overwrite the content in the clipboard, not copy it back, so it's not a problem. Though perhaps a mild annoyance if you happen to store all your important data and private keyfiles in there.

Re:Features vs. Security

[complete loony]

Plus they also tried to turn IE into a platform for intranet applications that *require* more access to the machine than they should have from within a browser.

Re:not quite

[Binestar]

This is the default (and very useful) behavior in each of the linux install's I've ever done.

Being able to highlight something, then middle click to paste it somewhere is huge.

You still have a separate ctrl-c and ctrl-v functionality with a separate clipboard for your manual copy/paste, so you're not losing any functionality.

It's a *very* useful feature, and far from useless, I keep looking for something similiar for windows but can't find anything that works for me.