-----Original Message-----
From: RBL <[log in to unmask]>
To: Recipient list suppressed <Recipient list suppressed>
Date: Friday, April 02, 1999 12:14 PM
Subject: PCA: HEAP BIG SECURITY FLAW IN IE5


>-= via RBL's PC ALERT http://www.RBLevin.net
>
>[x] News
>[  ] PR
>[  ] Op/Ed
>
>Source: http://www.sysopt.com/ie5flaw.html
>
>Major Security Flaw Present In IE5
>By default, IE5 gives any web site access to your Windows clipboard data.
>
>Article Date: March 27, 1999
>By: Scott Wainner
>
>(Before you seasoned IE users dismiss this, it is NOT the same as the IE4
>DHTML security flaw. Click here to find out
>why.)
>
>Introduction
>
>So, you're working on a couple of email messages to some friends, copying
>text here, pasting
>text there, using CTRL-C or "Edit - Copy". One of the letters you are
>working on is to your
>friend Jim - you're writing Jim to tell him that after 30 years of
>research, you finally discovered
>how to make cold fusion work! Finally, "free energy for the entire world!",
>you write. Just as
>soon as you announce your discovery at next week's physics convention,
>you'll be a billionaire.
>You're tired of writing though, so you decide to take a break and browse
>around on the 'net.
>You just downloaded IE5, and you're surfing around the web, minding your
>own business,
>perhaps taking a look at a few sites that you visit on a daily basis, and a
>few that you've never
>been to before.
>
>Several days later, you're watching NBC news, and see a story about a guy
>who just
>discovered how to make cold fusion work! And guess what, they used your
>formula! How did
>that guy get it?! Did he break into your home and steal it? No, while you
>were surfing around
>the 'net using IE5, one of the sites you visited decided to take advantage
>of a security flaw in
>IE5, and log the contents of your Windows clipboard to their server!
>
>The Problem
>
>Yes, you read correctly. IE5 has a security flaw that allows web servers to
>log the contents of
>your Windows clipboard cache to their server, without your knowledge or
>consent. Actually, the
>feature of allowing a site to request your clipboard data isn't the flaw.
>The flaw is that web sites
>are allowed to do it without any notification or consent needed using IE5's
>default security level
>settings. Whenever you copy text, using the "edit - copy" feature of just
>about every windows
>application, or hit "CTRL-C" to copy text, that text gets placed into the
>windows clipboard. You
>can then paste that text to Windows notepad, an email message, or wherever
>you feel like it.
>However, thanks to Microsoft IE5's default security setting, any web site
>using a snippit of
>Java/Active X code can read any and all of the text you have on your
>Windows clipboard.
>
>In order to give you a real world example of just how this really works,
>using IE5, go ahead and
>copy some text from another application (not from this Window, it does not
>work if you copy
>text from the IE5 window, unless you reload the page after doing so). Be
>sure there isn't
>anything in your clipboard cache that you don't want us to see - because of
>the way this
>demonstration works, your clipboard data is logged by our web server as a
>regular page
>request (in our server logs) - I can't control that. Then, click on this
>link to test out the IE5
>clipboard flaw. If you are not currently using IE5 to view this page, you
>needn't bother clicking
>on the link, because it won't work (but the flaw can be reproduced with
>IE4). NOTE! -- if you
>want to try the link more than once, you may need to reload this page each
>time!
>
>
>
>If you are using IE5, and you were able to click on that link, whatever was
>in your clipboard
>cache should have been displayed in a new window. In a real world
>situation, however, if I
>wanted to log the contents of your clipboard to my server, I would disguise
>the code so well
>that you would never even know about it, and probably wouldn't even require
>you to click on a
>single link. While I would rather expose the flaw and tell you how to
>prevent the problem from
>occuring, there are undoubtedly many crooks on the web who already know
>about this caveat,
>and are exploiting it like crazy.
>
>Other sites which have acknowledged the security flaw:
>
>Watch a Video segment of the ScreenSavers ZDTV Program featuring the flaw
and
>SysOpt.com - (also visit the show's page)
>Listen to our Audio Interview at Byte.com
>The Register (UK) - IE 5 security hole lets snoopers scoop your clipboard
>Maximum PC - IE5 Has Clipboard Security Hole
>
>If you ask Microsoft, they will tell you that it isn't a bug. Rather, they
>might use the term "user
>configurable security issue". However, when you download IE5, it is
>configured by default to
>allow any web server to view the contents of your clipboard without your
>knowledge or consent.
>
>Microsoft added an Active X control feature to IE5 called The Microsoft
>Dynamic HTML Editing
>Component, which allows web designers to add WYSIWYG editing capability to
>their sites.
>This feature has two versions: DHTML Edit Control for IE5, and DHTML Edit
>Control Safe for
>Scripting for IE5. When a web designer uses code that applies to the first
>version, you will be
>warned if an HTML page contains script that would try to access your
>clipboard. However, it's
>simple to create a code snippit that uses the second version, which by
>default, you will not be
>warned about.
>
>It should be noted that this flaw can be duplicated in IE4. However, if you
>are using
>IE4, when you clicked on the demo link above, your browser would have
prompted
>you to install "DHTML" (which is signed by Microsoft, by the way), unless
>you had
>installed DHTML for IE4 in the past. If you had never installed DHTML
>before, you
>would have been forewarned that the site is using DHTML code, and may
>possibly be
>trying to read your Windows clipboard cache (or may be using DHTML for a
>legitimate
>purpose). However, with IE5, DHTML comes standard with the browser, so you
>would
>not be notified of anything, nor would you be prompted or warned in any way
>thanks
>to IE5's default security settings. But if you installed DHTML for IE4 in
>the past, your
>clipboard cache has been vulnerable all this time, and IE4 would not have
>prompted
>you to allow the clipboard pasting operation unless you configured the
security
>settings as such.
>
>The Solution
>
>When you install IE5, the default security level selected is "medium". As
>such, IE5 allows the
>DHTML Active X control to read your Windows clipboard data. So, the big
>question is, how do
>you prevent sites from being able to access your clipboard? The fix is
>simple, but totally
>obscure:
>
>In IE5, go to Tools, Internet Options, Security, then click on the Custom
>Level button, find the "allow paste operations via script" option, and
click
>on Prompt or Disable, then click OK, and click Apply.
>
>Obviously, IE5 should definitely not have shipped with that option enabled.
>It clearly should
>have been shipped with it set to "Prompt", so users would be prompted when
>a site tried to do
>a "paste operation via a script", or even "Disable", to prevent the problem
>altogether. But, it is
>definately set to "enable" by default, thereby making your clipboard data
>available to any site
>on the web. Also, some users say that the clipboard data can still be read
>even when they
>change the security option to disable - if that's true for you, please let
>me know. I know that
>setting it to disable prevents the clipboard data from being read using
>Microsoft's version of IE5,
>but if you downloaded it from another site, you might have a special
>customized version.
>
>
>Attention IE5 Beta Users: I have had several reports from users of IE5 beta
>versions who say
>that there is not an "allow paste operations via script" option in IE5's
>security settings, and that
>our demo script can indeed read their clipboard cache. If you are using an
>IE5 beta version, and
>don't want to upgrade to the full version (for some reason), here are
>instructions for configuring
>your system to prevent sites from reading your clipboard cache (note that
>this also disables
>DHTML safe scripting):
>
>Disclaimer: For advanced users of IE5 beta version, only! Modifying
>registry settings
>can cause major system problems if you are not at all familiar with the
>registry editor!
>Users of regular IE5 versions can simply follow the instructions above this
>section to
>set the "allow paste operations via script" option to "Prompt" or
"Disable".
>
>Do NOT use this method unless you have Internet Explorer IE5 BETA and do
>not have
>the "allow paste operations via script" option in your browser security
>options! Instead,
>use the method above directly underneath "The Solution"
>Click on "Start", "run", type in "regedit", hit return
>In the registry editor, click on "Edit", "find", and in the "find what"
>field, enter
>"2D360201-FFF5-11d1-8D03-00A0C959BC0A" without the quotes, and hit enter.
>Right click on the highlighed "2D360201-FFF5-11d1-8D03-00A0C959BC0A"
registry
>entry, then click on "Rename"
>The registry key should now be highlighted. What you want to do is to add a
>character
>at the end of the string, after the "A" and before the "}". I used a "*"
>character. So, left
>click between the "A" and the "}", and hit the "*" key, then hit enter.
>Now if you come back to this page and try to click on the demonstration
>link, IE5 should
>return an error and not allow our site to read your clipboard.
>If you ever want to make use of DHTML safe scripting, however, you will
>need to edit the
>registry key using the same method that I described above, and simply
>remove the "*"
>character that you added to the string, and hit return. Then, if you want
>to test it, reload
>this page, and it should work once again.
>
>
>
>Microsoft's Response
>
>This problem was discovered a few days ago by Juan Carlos Garcia Cuartango
>who announced
>his find via a mailing list, and we were the first site to cover the
>problem. Microsoft saw Juan's
>post, responded, and here is what they said:
>
>Date: Thu, 25 Mar 1999 10:06:01 -0800
>From: Harry Goodwin
>To: [log in to unmask]
>Subject: Re: IE 5 security vulnerabilities
>
>I wanted to take a moment to thank Juan Carlos for bringing these issues to
>Microsoft's
>attention prior to posting the issues publicly. I also wanted to post
>Microsoft's response to the
>issues he's discovered.
>
>1) Internet Explorer has customizable security settings in place for users
>who are concerned
>about allowing certain functionality. In this particular case, concerned
>users can easily block
>this behavior by checking either 'disable' or 'prompt' under "Allow paste
>operations via script" in
>the custom settings section in security zones. Using the IEAK, admins can
>also adjust the
>default setting for this option before distributing Internet Explorer to
>their users. The option is
>set to 'enable' by default to allow enhanced functionality.
>.../snip/...
>
>Conclusion
>
>It seems Microsoft isn't too concerned about the problem, and it sounds
>like they just sort of
>expected users to know about the "Allow paste operations via script"
>security option. It's not
>the "allow paste operations via script" feature that is the problem. The
>problem is that it is set
>to "enable" by default, and not to "prompt", which means that unsuspecting
>users will be
>broadcasting their clipboard data to every site who wants to read it. I
>don't know about you, but
>the thought didn't quite occur to me when I downloaded IE5.
>
>Don't get me wrong though, the clipboard data security flaw aside, I think
>IE5 is now probably
>better than Netscape and IE4 (WAY faster, more features, etc, and I've been
>a diehard
>Netscape user FOREVER). This flaw should definitely not keep you from using
>IE5 - just be
>aware of the DHTML issue, and set the security option accordingly.
>
>This page has been viewed 33347 times since March 27, 1999.
>
>
>
>----------------------------------------
>
>
>
>Compliments of Rich Levin's PC ALERT service (http://www.RBLevin.net)
>
>To SUBSCRIBE, send any ol' e-mail message to [log in to unmask], with the
>words SUBSCRIBE PC ALERT as the subject, or click this hyperlink:
>
> mailto:[log in to unmask]
>
>To UNSUBSCRIBE, send any ol' e-mail message to [log in to unmask], with the
>words UNSUBSCRIBE PC ALERT as the subject, or click this hyperlink:
>
> mailto:[log in to unmask]
>
>To CONTRIBUTE, send an e-mail message to [log in to unmask], with the words
>PC ALERT as the subject, or click this hyperlink:
>
> mailto:[log in to unmask]
>
>Please allow a few years for Subscribe and Unsubscribe requests to be
>processed.
>


VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask]  In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
 VICUG-L is archived on the World Wide Web at
http://maelstrom.stjohns.edu/archives/vicug-l.html