Mac, Windows clipboards poisoned by URL attacks

Networkworld ^ | By Gregg Keizer | 08/19/2008

[Inyo-Mono]

I did not know that. Thanks for the info.

[Sir_Ed]

Yeah, I just tried it with several browsers on my Mac G5 quad OSX 10.4, the clipboard was captured and kept pasting “evil.com” (Hillary’s website??) into everything.

It flushed the clipboard when I closed the window.

Ed

[Jeff Chandler]

There is a solution to the problem: Look at the url you paste in the address box before you hit ENTER.

[Jeff Chandler]

I hope someday, Flash will just go away. It’s just awful.

Wrong. Flash is good. Now PDF files...

[cynwoody]

he issue is technically true... but you have to read this phrase correctly: ". . . are planting the URLs into clipboards on both Macs and PCs running Windows . . ." The key is that Macs, running Windows, are vulnerable to having the Windows' clipboard taken over!

That's just sloppy writing. The vulnerability is in Flash, which has the ability to access the clipboard on both operating systems (and Linux, too).

If you have a Photobucket account, you've probably used the Direct Link facility they put below each image. Click it, and it copies the picture URL to the clipboard. If you examine the underlying code, you will find it uses Javascript to access an included .swf, which does the actual copy operation.

[6SJ7]

I presume this exploit operates by looping the javascript code in the flash to repeatedly copy the bogus URL into the clipboard. That's why the exploit vanishes when you close the browser window.

I really wish there was a way to send a large EMP into the servers owned by these spammers. I'd like to tase the spammers too for good measure!

[B Knotts]

Flash needs to be replaced with something open. For crying out loud, Adobe *still* hasn’t released a 64-bit Flash player!

[HangThemHigh]

"Wrong. Flash is good. Now PDF files... "

So you're the guy spreading all the Flash malware.

/kidding

[HangThemHigh]

"I presume this exploit operates by looping the javascript code in the flash to repeatedly copy the bogus URL into the clipboard. That's why the exploit vanishes when you close the browser window."

Yes, if you open the clipboard viewer (clipbrd.exe) with the site open, you can watch the clipboard being rapidly over written with the infected URL. Navigate away from the site and the clipboard contents stay, but can be overwritten by the user.

[TheBattman]

I believe I have witnessed the end-result of this very problem. I have received numerous messages on facebook from folks I know, that have a short three or four word message, and a long crazy looking url. While the URLs appear to be different, they all go to the same fake video hosting “page” that if you click ANYWHERE on the page, it downloads an exe file that appears to be a pretty ugly bug.

The friends I have received this from are all pretty good folks who would not intentionally pass on such trash. I suspect they used one of the apps on facebook to send something to all their friends - and the malicious url was put through instead.

Or the problem is completely unrelated - but sure sounds so (notice the reference to facebook in the text).

Of course, as I sit here typing on my iBook, I’m not worried about the .exe file sitting on my desktop.

Anyone want me to send you the file????

[Colonel_Flagg]

NoScript will not block flash script exploits. The best security combo for Firefox is AdblockPlus+NoScript+FlashBlock. And if you are really surf paranoid, get ImgLikeOpera extension for FF too, it lets you block all graphics (to avoid rare GIF exploits).

Thank you for this tip. I use Firefox and have only run NoScript until I saw this post. I'm amazed at how much faster my ad-heavy homepage loads now. Much appreciated.

[Question_Assumptions]

Lynx doesn’t seem to suffer from this problem. ;)

[jsc572]

No problem, don’t forget to subscribe to filter list for ABP to eliminate 99% of the ad junk out there, I personally prefer Rick’s Easylist.