On Sat, 12 Jan 2002 15:06:29 +0000 Tom Gilder <tom@vpwsys.co.uk> wrote: > IE CLIPBOARD STEALING VULNERABILITY > More information available at http://tom.vpwsys.co.uk/clipboard/ > VENDOR SOLUTION > I suggest MS make the Internet Zone default setting to prompt, and > improve the prompt dialog to show the clipboard contents (if it is > textual) to the user. They could also add a "always allow this site to > access the clipboard" checkbox. > > Microsoft will probably say something like "it's up to the user to set > their security settings as they see fit". However I believe the > majority of IE users will never change anything in their security > settings. They are simply too complex, and buried in the options > dialog. I reported the same issue to Microsoft on 21 Oct 2001 and received the following reply: On Thu, 25 Oct 2001 18:52:17 -0700 "Microsoft Security Response Center" <secure@microsoft.com> wrote: | We are aware of the issue of protecting the contents of the clipboard. | This behaviour can be controlled, and is present by design for some | web services such as Hotmail. If you are concerned about clipboard | sniffing then you can set "Allow paste operations via script" to | "Disable" or "Prompt" in the Internet zone. This is explained in | detail in Q224993 "How to Protect the Contents of Your Windows | Clipboard". There was a related discussion at Windows NTBugtraq three years ago. http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9903&L=ntbugtraq&F=P&S=&P=6634 http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9903&L=ntbugtraq&F=P&S=&P=6841 http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9903&L=ntbugtraq&F=P&S=&P=6968 http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9903&L=ntbugtraq&F=P&S=&P=7292 -- Hiromitsu Takagi, Ph.D. National Institute of Advanced Industrial Science and Technology, Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan http://staff.aist.go.jp/takagi.hiromitsu/
