SUMware
Premium
join:2002-05-21
1 edit | reply to Doctor Four
Pwning the clipboard - latest trick in FakeAlert distribution
»www.sophos.com/security/blog/200···from=rss
"The fact that victims report experiencing these issues after browsing legitimate, popular sites, suggests that malicious Flash is the culprit. The attackers are probably using the setClipboard() method within ActionScript embedded in Flash content. Maybe the attackers have poisoned some ad-stream as a way of hitting large volumes of users?
I guess we should be glad the Adobe folks were wise enough to not provide the corresponding getClipboard() method!" |
|
SUMware
Premium
join:2002-05-21
1 edit | reply to Doctor Four
Re: Malvertisement on MSNBC.com using clipboard (copy/paste)
NoScript | 
Proxomitron |
|
|
Bink
join:2006-05-14
Denver, CO | reply to Doctor Four
I swear, Flash is becoming the scourge of the Internet. If you use Internet Explorer, do yourself a favor and leave Flash disabled—»flash.melameth.com. |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
 ·AT&T U-Verse
1 edit | reply to Doctor Four
I decided last night to see if I could duplicate this
hijack, so I did something dangerous, security-wse:
I disabled my hosts file temporarily.
I then went to several of the sites where the hijack was
being reported, while using IE and Fiddler, and not once
did I see it - no fraudware URLs showed up in Fiddler's
capture logs.
I'll try again tonight, but I have to wonder if the ad
network that was a vector for this hijack caught onto it
and got rid of it.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
|
|
therube
join:2004-11-11
Randallstown, MD
3 edits | reply to SUMware
Ha! That is only too funny.
I'm trying to figure out why I can't get the testcase to work? It was not until I went to copy/paste a URL into another window that I see it DID work. Crafty.
If that happened to me out of the blue, it would be disconcerting to say the least.
Using NoScript (& assuming that Flash is blocked) thwarts the exploit. And even if you were to Temporarily Allow the Flash, once you Revoke Temporary Persmissions, the exploit again ends.
So it looks like my earlier thoughts were partially correct. It does involve Flash & JavaScript, but it is not dependent upon IE or ActiveX. |
|
SUMware
Premium
join:2002-05-21
1 edit | reply to Doctor Four
Adobe Product Security Incident Response Team (PSIRT)
From Adobe August 19, 2008:
Clipboard attack
"We are aware of recent press reports about a potential “Clipboard attack” issue that involves Flash Player. Adobe is currently investigating potential solutions to this issue and will update customers as soon as we have more information to provide." |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
·AT&T U-Verse
| reply to therube
Re: Malvertisement on MSNBC.com using clipboard (copy/paste)
said by therube  :Using NoScript (& assuming that Flash is blocked) thwarts the exploit. And even if you were to Temporarily Allow the Flash, once you Revoke Temporary Persmissions, the exploit again ends. So it looks like my earlier thoughts were partially correct. It does involve Flash & JavaScript, but it is not dependent upon IE or ActiveX. Indeed it does thwart the hijacking. From the NoScript homepage: »noscript.net/?ver=1.7.9&prev=1.7···blocking
Looks like third party flash is blocked by default unless specifically allowed.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
|
|
Jayhawk21
join:2008-09-12 | reply to Doctor Four
I would just like to point out that this happened to me in Vista with Google Chrome today.
Damn! |
|
MeanPeepsSuk
Premium
join:2004-11-21
Muddy Field
clubs:
2 edits | reply to mysec
Removed my response/question from last night as no longer relevant.
Just realized this was an old thread brought to the top again. |
|
SUMware
Premium
join:2002-05-21
| reply to Doctor Four
To Be Fixed in Flash Player 10
From ZDNet
September 19th, 2008 - quote:
Adobe moves to nuke ‘clipboard hijack’ attacks
Adobe has announced plans to modify the next version of its Flash Player to use an “allow/deny” system to mitigate clipboard hijack attacks.
The change will be fitted into the final version of Flash Player 10 to demand user interaction when a Shockwave (.swf) file attempts to set data on a user’s clipboard. It follows news that malicious hackers are using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks.
(See Aviv Raff’s proof-of-concept demo to show how easy it is to use Flash with ActionScript code to persistently load a malicious URL into a target clipboard).
Here’s the skinny on the Flash Player 10 changes:
In Flash Player 9, ActionScript could set data on the system Clipboard at any time. With Flash Player 10 beta, the System.setClipboard() method may be successfully called only through ActionScript that originates from user interaction. This includes actions such as clicking the mouse or using the keyboard. This user interaction requirement also applies to the new ActionScript 3.0 Clipboard.generalClipboard.setData() and Clipboard.generalClipboard.setDataHandler() methods.
This change can potentially affect any SWF file that makes use of the System.setClipboard() method. This change affects SWF files of all versions played in Flash Player 10 beta and later. This change affects all non-application content in Adobe AIR—however, AIR application content itself is unaffected.
Any existing content that sets data on the system Clipboard using the System.setClipboard() method outside of an event triggered by user interaction will need to be updated. Setting the Clipboard will now have to be invoked through a button, keyboard shortcut, or some other event initiated by the user. Adobe already uses an allow/deny mechanism when a SWF file attempts to access a user’s camera or microphone using the Camera.get() or Microphone.get() methods.
|
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
| said by SUMware :From ZDNetSeptember 19th, 2008 - quote:
Adobe moves to nuke ‘clipboard hijack’ attacks
Adobe has announced plans to modify the next version of its Flash Player to use an “allow/deny” system to mitigate clipboard hijack attacks.
The change will be fitted into the final version of Flash Player 10 to demand user interaction when a Shockwave (.swf) file attempts to set data on a user’s clipboard. It follows news that malicious hackers are using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks.
(See Aviv Raff’s proof-of-concept demo to show how easy it is to use Flash with ActionScript code to persistently load a malicious URL into a target clipboard).
Here’s the skinny on the Flash Player 10 changes:
In Flash Player 9, ActionScript could set data on the system Clipboard at any time. With Flash Player 10 beta, the System.setClipboard() method may be successfully called only through ActionScript that originates from user interaction. This includes actions such as clicking the mouse or using the keyboard. This user interaction requirement also applies to the new ActionScript 3.0 Clipboard.generalClipboard.setData() and Clipboard.generalClipboard.setDataHandler() methods.
This change can potentially affect any SWF file that makes use of the System.setClipboard() method. This change affects SWF files of all versions played in Flash Player 10 beta and later. This change affects all non-application content in Adobe AIR—however, AIR application content itself is unaffected.
Any existing content that sets data on the system Clipboard using the System.setClipboard() method outside of an event triggered by user interaction will need to be updated. Setting the Clipboard will now have to be invoked through a button, keyboard shortcut, or some other event initiated by the user. Adobe already uses an allow/deny mechanism when a SWF file attempts to access a user’s camera or microphone using the Camera.get() or Microphone.get() methods.
Will it be fixed in newer Flash v9? Or do we have to update to v10? 
--
Ant @ »antfarm.ma.cx and »aqfl.net. Please do not IM/e-mail me for technical support. Use the forum! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
·AT&T U-Verse
| reply to Doctor Four
Re: Malvertisement on MSNBC.com using clipboard (copy/paste)
Adobe says they are going to fix this, but there is now a much more serious threat involving clickjacking:
»blogs.zdnet.com/security/?p=1972
quote:
In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.
Firefox and NoScript can give a degree of protection against this, according to an email the creator, Giorgio Maone, sent the ZDNet blogger.
»blogs.zdnet.com/security/?p=1973
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
|
|
SUMware
Premium
join:2002-05-21
2 edits | DF, thanks for posting this additional information.
From your link »blogs.zdnet.com/security/?p=1973 it's worth excerpting the following: quote:
In response to my story earlier on the cross-browser Clickjacking exploit/threat, I received the following e-mail from Giorgio Maone, creator of the popular Firefox NoScript plug-in:
Hi Ryan,
I’ve seen a lot of speculation and confusion in the comments to your Clickjacking article about NoScript not being able to mitigate [the issue].
I had access to detailed information about how this attack works and I can tell you the following:
1. It’s really scary
2. NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) — see this comment by Jeremiah Grossman himself.
3. For 100% protection by NoScript, you need to check the "Plugins|Forbid [IFRAME]" option.. Cheers,
Giorgio I also received private confirmation from a high-level source at an affected vendor about the true severity of this issue. In a nutshell, I was told that it’s indeed “very, freaking scary” and “near impossible” to fix properly.
Tod Beardsley from BreakingPoint has posted a few proof-of-concept exploits with speculation around clickjacking.
|
|
swhx7
Premium
join:2006-07-23
Elbonia
 ·RoadRunner Cable
| reply to Doctor Four
So is this now the correct thread for the clickjacking topic? I believe it is not the same as the original topic here, i.e. the clipboard exploit, but anyway.
The discoverers have been vague about just what the "clickjacking" involves. The reason of course is the same as in the recent Kaminsky/DNS thing, to give vendors time to patch. This has led to some anxiety about how site maintainers and surfers can be safe.
In looking around however, I found a clear explanation of at least one implementation of it: »lists.whatwg.org/pipermail/whatw···284.html
The above is already out there, so I'm not making it any worse by linking.
I favor Zalewski's #4, because it puts the user most in control. |
|
avd706
insert annoying animated gif here
Premium
join:2003-02-06
Union, NJ | The only solution is #5 |
|
SUMware
Premium
join:2002-05-21
1 edit | reply to swhx7
said by swhx7 :So is this now the correct thread for the clickjacking topic? I believe it is not the same as the original topic here, i.e. the clipboard exploit, but anyway. It would probably better to start a new 'clickjacking' thread. This looks to be a serious and ongoing vuln that will continue for quite some time. So feel free...
Your info is very interesting. Thanks. |
|
