Adobe moves to nuke ‘clipboard hijack’ attacks
Adobe has announced plans to modify the next version of its Flash Player to use an “allow/deny” system to mitigate clipboard hijack attacks.
The change will be fitted into the final version of Flash Player 10 to demand user interaction when a Shockwave (.swf) file attempts to set data on a user’s clipboard. It follows news that malicious hackers are using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks.
(See Aviv Raff’s proof-of-concept demo to show how easy it is to use Flash with ActionScript code to persistently load a malicious URL into a target clipboard).
Here’s the skinny on the Flash Player 10 changes:
[ SEE: Can Adobe mitigate ‘clipboard hijack’ issue? ]
- In Flash Player 9, ActionScript could set data on the system Clipboard at any time. With Flash Player 10 beta, the
System.setClipboard()method may be successfully called only through ActionScript that originates from user interaction. This includes actions such as clicking the mouse or using the keyboard. This user interaction requirement also applies to the new ActionScript 3.0Clipboard.generalClipboard.setData()andClipboard.generalClipboard.setDataHandler()methods.
- This change can potentially affect any SWF file that makes use of the
System.setClipboard()method. This change affects SWF files of all versions played in Flash Player 10 beta and later. This change affects all non-application content in Adobe AIR—however, AIR application content itself is unaffected.
- Any existing content that sets data on the system Clipboard using the
System.setClipboard()method outside of an event triggered by user interaction will need to be updated. Setting the Clipboard will now have to be invoked through a button, keyboard shortcut, or some other event initiated by the user.
[ SEE: Adobe Flash ads launching clipboard hijack attack ]
Adobe already uses an allow/deny mechanism when a SWF file attempts to access a user’s camera or microphone using the Camera.get() or Microphone.get() methods.
* Photo credit: EdTarwinski’s Flickr photostream (Creative Commons 2.0)
[Source: zdnet]
Post a Comment