Clipboard Data Theft Now Optional With IE7

An anonymous reader writes "It's been known for a long time that Internet Explorer will happily allow any Web site to steal data that users have recently cut-and-pasted or copied into the Windows 'clipboard' data storage area. Well, now it looks like Microsoft has finally decided that this 'feature' was probably ill-advised, according to The Washington Post's Security Fix blog. IE7 throws up a warning asking whether users really want to let a site filch their clipboard data (Firefox, Opera and most other non-IE browsers forbid this behavior by default)."

Could anyone explain..

[Squapper]

...what on earth where they thinking in the first place?

It's the defaults, stupid

[Anonymous Coward]

I've said it before, and I'll say it again: half of MS's security problems are stupid defaults. You've been able to disable "allow paste from script" in IE for ages now, but it's ENABLED BY DEFAULT. Stupid, STUPID, STUPID!!!

Now, if they would just unhide extensions by default, and disable ActiveX by default except for pages on the trusted list (or just get rid of ActiveX totally, but I realize that'd be asking for too much), and get rid of a few other stupid defaults that I always uncheck on a new install, and we'd all be a lot happier.

Re:Why?

[karmatic]

It's sometimes conveinent to be able to _put_ things in the clipboard. TinyURL uses this feature to automatically copy the generated link to the clipboard for pasting. I've also seen an IRC search engine that pre-copied the file transfer commands for you.

I still can't see a good reason to let the web page automatically get clipboard data. If you need it that badly, throw up a text box, and have the user hit paste.

Re:Features vs. Security

[Tim C]

Microsoft (and other software companies, but MS gets the most attention for it) spent years working under the paradigm where making things more convenient and/or more powerful for the user was the most important thing you could do to get people to use and buy your product.

Don't forget that that includes UNIX; from the preface to O'Reilly's "Practical Unix and Internet Security" [unix.org.ua]:

When the first version of this book appeared in 1991, many people thought that the words "UNIX security" were an oxymoron-two words that appeared to contradict each other, much like the words "jumbo shrimp" or "Congressional action." After all, the ease with which a UNIX guru could break into a system, seize control, and wreak havoc was legendary in the computer community. Some people couldn't even imagine that a computer running UNIX could be made secure.

The various flavours of UNIX have come a long, long way since 1991. So have MS; but they have had farther to go, started later and have not been travelling nearly as fast. A modern Windows PC in skilled/sensible hands is safe enough, but so many are in less than optimal hands...

Only in Opera

[ZPWeeks]

I regularly hop between Firefox, IE7, and Opera. Call me indecisive. My university, like many, uses WebCT pretty extensively. Some places deliver quizzes, exams, and assignments solely through WebCT. The program uses this clipboard function somehow- I assume to watch for plagiarism. It's one of the very few ways I wouldn't object to this "feature". The only browser to ever notify me of WebCT looking at my clipboard was Opera. Probably for this reason, WebCT warns of "incompatibility" with opera, but still allows access. That's alright, since Opera easily masks itself as Firefox. I don't mind it in WebCT- but I would mind it on almost any other website.

Re:Features vs. Security

[cyber-vandal]

And I remember some clown from Microsoft advancing the view that because Unix security sucked when it was the same age as Windows NT it was ok for Windows NT security to suck, thereby inviting their customers to stick with Unix until NT security didn't suck anymore.

Re:Just curious here

[ozmanjusri]

What else was there to compare it to?

VMS, OS360.