IE 5.0 opens up user clipboard contents to malicious Website operators

A US Webmaster is highlighting a significant security flaw in Microsoft Internet Explorer 5.0, which allows malicious Website operators to covertly read the contents of a user's clipboard. The bug isn't in the newly bundled Active X control feature, DHTML, that enables the access - that's a feature - but in the fact that IE 5.0 ships with the 'allow paste operations via script' option enabled by default.

A US Webmaster is highlighting a significant security flaw in Microsoft Internet Explorer 5.0, which allows malicious Website operators to covertly read the contents of a user's clipboard.

According to Scott Wainner - who has set up a site to demonstrate the ability - the bug isn't in the newly bundled Active X control feature, DHTML, that enables the access - that's a feature - but in the fact that IE 5.0 ships with the "allow paste operations via script" option enabled by default.

Wainner says simply resetting the default security level in IE from "Medium" to "High" will not close the hole. Users must go to Tools, Internet Options, Security, click on the Custom Level button, find the "allow paste operations via script" option, and click on Prompt or Disable, then click OK, and click Apply.

The "allow paste operations via script" option did not appear in some IE 5.0 beta versions and its presence has not been highlighted by Microsoft in the release version.

The issue was first identified by Juan Carlos Garcia Cuartango, who posted his findings on a mailing list. In response, Microsoft spokesman Harry Goodwin said the option was set to 'enable' by default "to allow enhanced functionality" and that by using Microsoft's IEAK "admins can also adjust the default setting for this option before distributing Internet Explorer to their users".

The problem can also affect IE 4.0 users who have downloaded and installed the DHTML Active X Control.

A demonstration for those using IE 5.0 is available at

http://www.sysopt.com/ie5flaw.html

Join the newsletter!

Error: Please check your email address.
Show Comments
[]