Adobe Flash ads launching clipboard hijack attack

Discussion in 'other security issues & news' started by tlu, Aug 19, 2008.

Thread Status:
Not open for further replies.
  1. tlu

    tlu Guest

    http://blogs.zdnet.com/security/?p=1733

    The solution for Firefox users is easy: With Noscript you are protected even if you whitelist the site where such flash ads are placed as these links pointing to other sites are still blocked.

    Most of these ads should also be blocked when using Adblock Plus. You should also subscribe to the new Malware Domains blocklist.

    Solutions for other browsers might be found in one of the links provided in this thread.
     
  2. axial

    axial Registered Member

    Joined:
    Jun 27, 2007
    Posts:
    479
    Could this problem be avoided if one ran the browser inside a sandbox (SandBoxie or similar) ?
     
  3. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    Well, Sandboxie would allow the copying to the clipboard. That article states;
    So if you at some point pasted what you thought was a different web address into the address field and clicked 'Go', you would be pasting that malware link. You might not notice that the pasted address is not the address you intended to paste. So this would all happen...........but it would be in the sandbox. ;)
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Hi, many thanks for this. So interesting.

    Let,s start playing. I tried the POC.

    GesWall- bypassed
    CFP HIPS- bypassed
    THreatFire- bypassed

    :thumb: :thumb: :eek: :eek: Very clever piece of malware activity. Try ur HIPS guys!!
     
    Last edited: Aug 19, 2008
  5. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Excuse my ignorance, what am I specifically supposed to see or experience with this POC? Does this POC work in Opera?


    Peace & Gratitude,

    CogitoErgoSum
     
    Last edited: Aug 19, 2008
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    The POC works with both IE 7 and Opera. It even works with Opera when JS is disabled. However it does not work if I disble flash( plugins) in Opera.

    Not tested FF.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Just click the POC and see what is pasted in ur clipboard. Now try do some copy/ cut / paste operation and u will not be able to do anything until u close browser winndow.


    Hmmmm...... time to test DW. If DW passes this, it will be a big achievemnt. :p
     

    Attached Files:

  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,
    And what if you're using non-Adobe flash ...?
    Will have to check this out later.
    Mrk
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    EQS with Alcyon's BLOCK FLASH COOKIES/CONTENT kills this POC nicely. Just tried it.

    EASTER
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    It,s not a PASS. U can just disble falsh and you will pass without any HIPS.
    I will take a HIPS pass if it intercepts actual Clipboard Hijack. If EQS/ Alcyon,s Rules do it, let us know.
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Hmmmm... Ok, let us know. Never heard of non-adobe flash.
     
  12. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Gnash doesn't show anything. I think it's flash 7 ready, not 9 (which seems to be the case).
    Gnash 0.8.3
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Can anyone test ProSecurity?

    Thanks
     
  14. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello aigle,

    Thank you, it is clear now. FYI, unfortunately, DefenseWall does not protect against this POC.


    Peace & Gratitude,

    CogitoErgoSum
     
  15. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    For those who are interested,

    Here are links relevant to this discussion and topic.

    http://www.dslreports.com/forum/r20925461-Malvertisement-on-MSNBCcom-using-clipboard-copypaste (Malvertisement on MSNBC.com using clipboard (copy/paste)
    http://msmvps.com/blogs/spywaresucks/archive/2008/08/09/1644062.aspx (ALERT: malvertizements utilizing computer clipboards (copy and paste).)
    http://msmvps.com/blogs/spywaresucks/archive/2008/08/15/1644705.aspx (Another nail in the 'Apple and Firefox are more secure' coffin)
    http://msmvps.com/blogs/spywaresucks/archive/2008/08/18/1645130.aspx (ALERT: Firefox with NoScript does NOT ALWAYS protect from SWF clipboard hijacks)
    http://msmvps.com/blogs/spywaresucks/archive/2008/08/18/1644914.aspx (The Clipboard hijacks continue....)
    http://msmvps.com/blogs/spywaresucks/archive/2008/08/19/1644990.aspx (Malicious SWF copying data to computer clipboards... the discussions continue)


    Peace & Gratitude,

    CogitoErgoSum
     
  16. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,

    Most of those articles are mindless rants. The next time someone writes Linux etc are not more secure than Windows ... I'm gonna slit a wrist ... not mine of course.

    I'm tired of explaining root, permissions, modularity ... Some people just don't get it.

    BTW, Noscript works as expected. The article claiming otherwise is CRP. The fact someone allows content to run is not the fault of the application. Blaming a gun for shooting yourself in the foot.

    Mrk
     
  17. tlu

    tlu Guest

    Exactly. Quote from http://msmvps.com/blogs/spywaresucks/archive/2008/08/18/1645130.aspx :


    Which Noscript user who isn't completely insane would do such a thing and disable that default behavior?

    This guy (sandi) is spreading FUD.
     
    Last edited by a moderator: Aug 20, 2008
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    You people are too emotional for FF. NoScript is not a part/ setting of FF by default. Also ordinary users do use flash enabled every where. So the exploit does work without problems. This is all I understand.

    I don,t say it,s fault of FF. Ofcourse it,s problem with Adobe flash.
     
    Last edited: Aug 20, 2008
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Hmmmm.... I really guessed so.

    Not sure how hard it can be to implement in a Sandbox, may some finctionality issues.

    I have yet to see any HIPS intercepting this attack.
     
  20. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,782
    Interesting POC........
    Indeed DefenseWall does not protect against this.
    Not a peep from AntiBot either.
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Hmmm I guess no HIPS will be able to intercept this. I am no expert but it seems something with JS and no HIPS/ Sandboxes intercept JS. Am I true?

    Adobe people need to fish their flash or we get silverlight. :D
     
  22. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    aigle, NoScript objectively stops this. The blogger that says it doesn't basically admits that NS does block it, in default settings.
    The title works because people only read the title and don't read.
     
  23. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,410
    Location:
    U.S.A.
    I could not agree with you more, tlu!
    With FF 3.0.1, NoScript & AdBlock+, that baby ain't messing around with my PC, unless I say so!
     
  24. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,668
    Location:
    Philippines
    After looking at that 5th post and seeing obvious malware link and the other legitimate link. Am I to assume then that this means the creator of that post "0ld Owl333" unwittingly posted that malware link in addition to his other MSNBC link because it was somehow sitting in his clipboard? (Clicking that link only sends me to the malware site, nothing is placed in the clipboard.)

    That is sort of like me posting a link in this post I am drafting and not seeing that is what I just pasted from the clipboard was not what I had copied and clearly not what I intended before posting.

    Seems like the only way this would work is if the user is not paying attention.

    For what it's worth just closing the tab or affected window in FX releases the clipboard, no need to exit Fx.
     
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Hmmm, false confidence alarm.

    Seems the exploit indeed works even in EQS with the extra RuleSet.

    I'm sure though it could be blocked by applying some appropriate ruleset, but not the present one for certain.

    EQS = ByPassed
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.