Home News & Blogs Videos White Papers Downloads Reviews Popular

Zero Day

Ryan Naraine, Dancho Danchev & Adam O'Donnell

Get Zero Day via:: Mobile; RSS; Email Alerts
Bios:: Ryan’s Bio; Dancho’s Bio; Adam’s Bio

September 19th, 2008

Adobe moves to nuke ‘clipboard hijack’ attacks

Posted by Ryan Naraine @ 1:02 pm

Categories: Patch Watch, Hackers, Zero-day attacks, Browsers, Vulnerability research, Spam and Phishing, Spyware and Adware, Exploit code, Data theft, Adobe, Flash, Arbitrary Code Execution, Complex Attacks, Malware

Tags: User Interaction, Adobe Systems Inc., Macromedia Flash Player, Attack, Keyboards, Security, Hardware, Peripherals, Ryan Naraine

Adobe moves to nuke â€˜clipboard hijackâ€™ attacks Adobe has announced plans to modify the next version of its Flash Player to use an “allow/deny” system to mitigate clipboard hijack attacks.

The change will be fitted into the final version of Flash Player 10 to demand user interaction when a Shockwave (.swf) file attempts to set data on a user’s clipboard. It follows news that malicious hackers are using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks.

(See Aviv Raff’sÂ proof-of-concept demo to show how easy it is to use Flash with ActionScript code to persistently load a malicious URL into a target clipboard).

Here’s the skinny on the Flash Player 10 changes:

[ SEE: Can Adobe mitigate â€˜clipboard hijackâ€™ issue? ]

In Flash Player 9, ActionScript could set data on the system Clipboard at any time. With Flash Player 10 beta, the System.setClipboard() method may be successfully called only through ActionScript that originates from user interaction. This includes actions such as clicking the mouse or using the keyboard. This user interaction requirement also applies to the new ActionScript 3.0 Clipboard.generalClipboard.setData() and Clipboard.generalClipboard.setDataHandler() methods.

This change can potentially affect any SWF file that makes use of the System.setClipboard() method. This change affects SWF files of all versions played in Flash Player 10 beta and later. This change affects all non-application content in Adobe AIRâ€”however, AIR application content itself is unaffected.

Any existing content that sets data on the system Clipboard using the System.setClipboard() method outside of an event triggered by user interaction will need to be updated. Setting the Clipboard will now have to be invoked through a button, keyboard shortcut, or some other event initiated by the user.

[ SEE: Adobe Flash ads launching clipboard hijack attack ]

Adobe already uses an allow/deny mechanism when a SWF file attempts to access a user’s camera or microphone using the Camera.get() or Microphone.get() methods.

Adobe moves to nuke 'clipboard hijack' attacks

Â * Photo credit: EdTarwinski’s Flickr photostream (Creative Commons 2.0)

Ryan Naraine is a security evangelist at Kaspersky Lab, an anti-malware company with operations around the world. See his full profile and disclosure of his industry affiliations.

Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

« Previous post Next post »

Talkback Most Recent of 17 Talkback(s)

Thread View Flat View

RE: Adobe moves to nuke 'clipboard hijack' attacks: ClipGuru, a free clipboard manager from HTConsulting - http://clipguru.com - attempts to notify users of Windows clipboatd hijacking.... (Read the rest); Posted by: berrytaylor Posted on: 10/06/08 You are currently: Logged In as: a Guest | Login | Terms of Use