Re: Malvertisement on MSNBC.com using clipboard (copy/paste)

MeanPeepsSuk Premium join:2004-11-21 Muddy Field clubs: 2 edits	reply to mysec Re: Malvertisement on MSNBC.com using clipboard (copy/paste) Removed my response/question from last night as no longer relevant. Just realized this was an old thread brought to the top again.
	to forum · permalink · · 2008-09-12 18:33:58 ·
mysec Premium join:2005-11-29	reply to therube Thanks for the information. Unfortunately, links from this site explaining the script code for cut, copy, paste, bring up "Content not found" »msdn.microsoft.com/en-us/library···85).aspx
	to forum · permalink · · 2008-08-13 23:34:58 ·
therube join:2004-11-11 Randallstown, MD 2 edits	reply to therube And it looks like we're coming back to ActiveX too. And IE. IE being a "trusted" application, of course. Why might one have "Clipboard access" enabled? Well, because MS tells you to do so. quote: ActiveX controls are used for certain functionality in Microsoft Office Project Professional 2007 and in Microsoft Office Project Web Access. In order for the ActiveX controls to work properly, the Office Project Web Access Web site must be added to the list of trusted sites in Internet Explorer. There are additional security settings that can be configured, but they are optional. »technet.microsoft.com/en-us/libr···703.aspx Perhaps this cannot even be disabled in IE6? Disable Allow This Webpage to Access Your Clipboard Pop-Up Warning Message in IE7 Picture here of what the prompt would look like, »msdn.microsoft.com/en-us/library···85).aspx Appears you can disable this in IE6 too, »forums.spybot.info/archive/index···665.html. That post includes a link to a site that retrieves your clipboard information, »www.sourcecodesworld.com/special···oard.asp.
	to forum · permalink · · 2008-08-13 10:45:53 ·
therube join:2004-11-11 Randallstown, MD 1 edit	reply to mysec quote: This should be blocked by setting Internet Options, Security, Internet Zone, Scripting, "Allow programmatic Clipboard access" to Disable. I would be curious if this setting failed to block this vector. »msmvps.com/blogs/spywaresucks/ar···062.aspx So it appears this would be a vector in IE that is being exploited? In my case (& I don't use IE) Clipboard access is set to "prompt". (Wonder what a prompt looks like or how I would respond to it if I were prompted?) And then this, Rogue ads pushing malware -- how it works, describes simply Refreshing the MLB web page & the popups start appearing? Which kind of doesn't make sense? So combine the two & perhaps Flash related? JavaScript related? JS being allowed to run in Flash? And there must be some code somewhere on an infected web site that allows the clipboard overwrite to take place. Again perhaps via Flash & JavaScript? (How can anyone say that using a Mozilla browser & NoScript does not have the potential to help is browsing safely.) EDIT: So perhaps MLB was injected with code, using a META tag to force malware page to open. Something like this: <META NAME="Keywords" CONTENT="handycamz, videos, pictures, camz, adult, porn, bla, bla, bla"><meta http-equiv="Refresh" content="0; url=http://winantivirus2008.org/freescan/?id=68">
	to forum · permalink · · 2008-08-13 10:37:03 ·
mysec Premium join:2005-11-29	reply to Doctor Four said by Doctor Four : Sandi Hardmeier, in her Spyware Sucks blog, is warning of a new type of malvertisement that overwrites Windows' clipboard, Has anyone seen the source code that shows how this is done?
	to forum · permalink · · 2008-08-12 19:06:30 ·


Friday, 04-Dec 15:34:49	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF