Adobe to prevent clipboard attacks via Flash Player
In its coming first beta of Flash Player version 10, Adobe apparently intends to prevent manipulation of the clipboard using crafted web sites. The intention is to make it impossible to overwrite the content of the clipboard and replace it with new content. In earlier versions of Flash Player, read access is not allowed at all. In a short test by the heise Security team, the known clipboard exploit by Aviv Raff no longer worked first time on the current version 10 beta, to be sure, but clicking the settings still inserted the string
In the now well known attacks on visitors to Newsweek, Digg and MSNBC, Flash advertising banners wrote a URL into the clipboard that took users to a page on which an alleged online antivirus scanner scared them with a warning that their PCs had been infected, in order to sell them software. The clipboard attack worked under Windows, Linux, and Apple Mac OS X.
The cause of the problem is the
System.setClipboard function, which allows writing to the clipboard using the ActionScript engine embedded in Flash. Version 10 will limit this function so that it can only be called by a user interaction, such as a mouse click or a keyboard input. This user interaction requirement also applies to the new ActionScript 3.0
Clipboard.generalClipboard.setDataHandler functions. This may also degrade the operation in Flash Player 10 of other Flash applets that are not relevant to security.
Version 10 incorporates further security improvements, but now allows Flash Player read access to the clipboard for the first time. Adobe intends to restrict misuse by stipulating that the newly introduced
Clipboard.generalClipboard.getData function may only be called up by an event handler that is currently processing a flash.events.Event.PASTE-Event, in other words a user interaction to effect such an insertion. Whether this limitation will be enough to protect the clipboard from being accessed by crafted web sites will only be revealed by tests on the final version 10.
- Understanding the security changes in Flash Player 10 beta, blog entry by Trevor McCauley