September 19th, 2008

Adobe moves to nuke 'clipboard hijack' attacks

Posted by Ryan Naraine @ 1:02 pm

Categories: Adobe, Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Exploit code, Flash, Hackers, Malware, Patch Watch, Spam and Phishing, Spyware and Adware, Vulnerability research, Zero-day attacks

Tags: User Interaction, Adobe Systems Inc., Macromedia Flash Player, Attack, Keyboards, Security, Hardware, Peripherals, Ryan Naraine

Adobe has announced plans to modify the next version of its Flash Player to use an “allow/deny” system to mitigate clipboard hijack attacks.

The change will be fitted into the final version of Flash Player 10 to demand user interaction when a Shockwave (.swf) file attempts to set data on a user’s clipboard. It follows news that malicious hackers are using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks.

(See Aviv Raff’s  proof-of-concept demo to show how easy it is to use Flash with ActionScript code to persistently load a malicious URL into a target clipboard).

Here’s the skinny on the Flash Player 10 changes:

[ SEE: Can Adobe mitigate ‘clipboard hijack’ issue? ]

• In Flash Player 9, ActionScript could set data on the system Clipboard at any time. With Flash Player 10 beta, the System.setClipboard() method may be successfully called only through ActionScript that originates from user interaction. This includes actions such as clicking the mouse or using the keyboard. This user interaction requirement also applies to the new ActionScript 3.0 Clipboard.generalClipboard.setData() and Clipboard.generalClipboard.setDataHandler() methods.

• This change can potentially affect any SWF file that makes use of the System.setClipboard() method. This change affects SWF files of all versions played in Flash Player 10 beta and later. This change affects all non-application content in Adobe AIR—however, AIR application content itself is unaffected.

• Any existing content that sets data on the system Clipboard using the System.setClipboard() method outside of an event triggered by user interaction will need to be updated. Setting the Clipboard will now have to be invoked through a button, keyboard shortcut, or some other event initiated by the user.

[ SEE: Adobe Flash ads launching clipboard hijack attack ]

Adobe already uses an allow/deny mechanism when a SWF file attempts to access a user’s camera or microphone using the Camera.get() or Microphone.get() methods.

 * Photo credit: EdTarwinski’s Flickr photostream (Creative Commons 2.0)