Adobe Flash Ads Launching Clipboard Hijack Attacks 353
bullyBEEF writes "Malicious hackers are using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks. In the Web attacks, which affect Mac, Windows, and Linux users running Firefox, IE, and Safari, bad guys are seizing control of the machine's clipboard (probably using the Flash command setClipboard) and inserting a hard-to-delete URL that points to a fake anti-virus program. A number of legitimate sites have been seen to host ads carrying the attack — including Newsweek, Digg, and MSNBC.com. Researcher Aviv Raff offers a harmless demo of how it's done."
Re:Yes, its annoying (Score:5, Insightful)
Umm.. yeah, and then you'll say "sure, install this program I didn't even ask to install". If that's something to be worried about then no amount of "security" is going to protect these people.
Re:confirmed on mac os x 10.5.4 (Score:3, Insightful)
Here on 10.5.4/Safari 3.1.2, closing the browser window/tab or simply navigating to another page fixes it.
Still, it's disturbing that a web site can copy data to the clipboard without permission. Browser makers need to make plugin content opt-in (a la flashblock), or at least run plugins in a very limited sandbox until the user requests otherwise.
evil (Score:2, Insightful)
Re:Yes, its annoying (Score:3, Insightful)
"no amount of "security" is going to protect these people"
Protect them? Protect us! They get their machines infected, they become latest members of bot nets, flood our mailboxes with spam, his the servers we use with ddos attacks... no we can't protect 100%, but it's in all of our best interests to try, and close off any avenues of attack that we can.
Re:Clicked on the flash area in NoScript in the de (Score:3, Insightful)
These days you have to go out of your way to avoid flash by learning about and installing less popular Web browsers like Firefox and installing extensions (Add-ons) like NoScript that you have to educate yourself about. These days even browsers like Firefox come pre-installed with crapware and bloatware like Microsoft DRM and Shockwave Flash. These things I have manually disabled.
I often hear people on Slashdot claiming that Flash is safe, but I also constantly hear about flash-based exploits as well. To most Slashdot users I would think Flash would be relatively safe, however most people are not Slashdot users.
The Internet is becoming less accessible to me as the years go by. There is no need for Flash or Java or JavaScript (to navigate to a URL for example). I can only perceive malicious reasons why Web developers would try to force people to use these technologies.
When a Web site says Flash, JavaScript, Silverlight, Internet Explorer or anything else is required then that Website is never again visited. One must separate the wheat from the chaff.
Re:Lame results with Linux (Score:3, Insightful)
I think that's an X11 anachronism you're dealing with there. No idea why it still exists in 2008.
Re:Lame results with Linux (Score:1, Insightful)
This is because Linux, in its infinite wisdom, decided to have two clipboards - one for selecting text and middle-clicking, and one that works with Ctrl-C and Ctrl-V like all the other OS'es. Yay for confusing users with needless features. But of course there must be some technical users out there who take advantage of the two clipboards and would never allow removing one of them from the OS.
Re:Yes, its annoying (Score:5, Insightful)
But I fail to see how you can leverage this to gain privs.
1. Every 100ms, put some evil UNIX commands on the clipboard, surrounded by line breaks. I'm sure you can come up with a one-liner that compromises a user's system.
2. Hope someone will paste into a Terminal window while your evil page is open.
I paste into Terminal windows all the time. For example, I might copy an error message and then grep another file for the message. If there's an evil web page open while I do that, the paste will own me.
Re:Clicked on the flash area in NoScript in the de (Score:5, Insightful)
> When a Web site says Flash, JavaScript, Silverlight, Internet Explorer or anything else is required then that Website is never again visited. One must separate the wheat from the chaff.
This maybe is true, except if you want to do a real web application. Loading a whole HTML-page, just to change some state of an (non-form-element) interface element... That's insanity. ;)
You've done the same that someone in a trauma does. You're created false associations. It's not the technology or even the virtual machine that's bad. It's the implementation.
Your argument is the same, as if someone who had only bad experiences with x86, while having good ones with his old 86000s, argues that "if an application requires x86, then that application is never again used."
The same is true for OSes. Someone could implement Windows XP in a proper manner, and make it a very safe system. (I did not say that someone would want, tough
Or in short:
Someone can crack a bad JavaScript VM and contaminate the rest of the system. And someone could crack a bad OS, and contaminate the rest of the system. There are even examples for this on virtualization VMs. (Heck, the system's clipboard is accessible to all 3 of them, on modern VMs!)
So my vote goes for Replacing the JavaScript VM with a hardened generic VM, with a fixed interface to the outside world, and adding JavaScript, Python, Ruby, Haskel, Ocaml and more as languages to it (via add-ons, or pre-compiled?)
Okay, I think one should remove at least one layer of abstraction/VM and harden the OS so that even OpenGL on JavaScript would not have a performance loss. (Yes, this would be useful. Eg. for quick dynamic data visualization or entertainment applications.)
Re:Write Filter = Best Antivirus (Score:4, Insightful)
So, basically, writing to your hard drive is twice as hard as it is on a normal computer? And you call that a feature that should be installed by default?
Your original problem is that have programs installed that do stuff to your computer that you don't want. And your solution is an extra layer that those programs are not designed to penetrate. There are two problems with having such software installed by default:
a) it would be twice as hard to do stuff. I'm sure you realize this, and have already gotten used to it, and accept it.
b) if this software became popular, then any malicious, or just poorly behaved software that does stuff you don't want, such as write to the hard disk, will write to the hard disk as normal, and then penetrate your extra layer of obscurity to actually write to the hard disk. Programmers would be somewhat inconvenienced, and would have to use special libraries for writing to the hard disk, and users would be annoyed.
This EWF software you speak of is for a niche market, and would fail for everybody if it became popular. It's sort of how Linux doesn't have many viruses. Except Linux not having viruses is a side effect, and there are plenty of other reasons to use Linux if it became popular and malware authors decided to target it, whereas your software would fail if it became popular, and malware authors targetted it.
It's kind of like how the Windows outgoing firewall is useless. Every piece of malware knows to put themselves on that whitelist. Whereas if you use a software firewall that is not installed by default, then chances are good that the malware author didn't spend time on bypassing that one.
Re:Question for you flash blockers (Score:2, Insightful)
Re:Lame results with Linux (Score:3, Insightful)
The way I see it, having multiple clipboards, and multiple ways to write to and from the clipboard, are separate issues. I can see the reason behind multiple access points to the clipboard, but having multiple, unrelated clipboards is somewhat of an annoyance.
And there is another issue. Try opening an editor, or browser. Write some text, and copy that text to the clipboard. Now exit the editor. Your data in the clipboard is lost. This has tripped me up many times, and I would really like to fix it. It doesn't have to be that way, too. I can copy stuff with xclip, which exits immediately, but that info remains in the clipboard.
Re:Go tell Adobe (Score:4, Insightful)
After a decade of horrors visited upon the world by Internet Explorer, you'd think everyone would view such a large proportion of content being delivered via a proprietary format and software (one, mind you, that renders via software and doesn't even have a functioning 64 bit version) as so incredibly dangerous and foolish as to dismiss it.
If just as much effort were put into a better streamlined and functional Javascript/ECMAscript interpreter based on open specs as is being put into reverse engineering Flash and now trying to figure out ways to secure it, we wouldn't even need the goddamn thing to begin with. There are better scripting engines than flash, there are better video formats than Flash, so why the fuck is so much attention paid to something that's so inherently flawed?
Re:Clicked on the flash area in NoScript in the de (Score:4, Insightful)
Worked here as well. One more point against flash, what on *earth* were they thinking when they put that 'feature' in there ?
Re:Hard to remove? (Score:3, Insightful)
Congrats. Now imagine that you don't know which window of a dozen well-known webpages has the malicious ad hidden in it.
Re:Clicked on the flash area in NoScript in the de (Score:3, Insightful)
Re:Opposite experience (Score:3, Insightful)
Unless you randomly paste links that you can't remember copying, visiting them, and then deciding to install the advertised antivirus software... I would consider this attack vector to be pretty benign. Darwin for the internet, if you will.
Re:Clicked on the flash area in NoScript in the de (Score:3, Insightful)
Why you have to do it, why this is not the default? The problem is that you started with a faulty concept and then to fix without breaking every other application is hard.
As I said before, I know MS is trying hard to fix this, but that was not my point, I was only pointing out that concepts can be broken independently of their implementation.