GUYA.NET

Recently, a questionable Flash feature of writing to the user’s clipboard has been exploited. Adobe will finally fix this feature and it’ll require user interaction (mouse/keyboard click) in the upcoming Flash 10.

IMHO the people in charge of the Flash Player security have chosen the best option, retaining the functionality of the feature and still keeping the users secured.

Of course, a user can be led to click on the malicious Flash movie, or focus to the movie can be set and any keyboard press will lead to a pollution of the clipboard.

A more strict security measure could have been chosen, a dialog box asking the user to permit clipboard writing, could have been implemented. The Flash Player already uses a similar dialog when interacting with the user’s camera and mic. An updated Internet Explorer uses a dialog when interacting with the clipboard, allowing both read and write.

javascript:clipboardData.setData(“text”, “I’m in the clipboard”); (IE only)

 

But, using the later option will make this feature too annoying for the user, and mostly useless.

Thanx for not killing this feature but still making it secure enough.

Regarding Flash movies that’ll still try to exploit this feature. It’s up to AD distributors and website owners to do their part and not distribute or host malicious files.

Related posts:

1. Mysteries Flash exploit is hijacking the clipboard?
2. Malicious camera spying using ClickJacking
3. Encapsulating CSRF attacks inside massively distributed Flash movies – Real world example
4. Bug in Internet Explorer security model when embedding Flash
5. Social Engineering Exploits using Flash

This entry was posted on Sunday, September 21st, 2008 at 3:25 am and is filed under Flash General, Flash Security, Javascript, Safeloper, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.