ALERT: Firefox with NoScript does NOT ALWAYS protect from SWF clipboard hijacks

Topic subjected edited to add the word "always".  I stand by my statement that there are users out there who believe that "NoScript" will protect them from incidents like the clipboard hijack, even when they have disabled "Forbid Flash", and need to be told that this is not so.  Perhaps my original article, without the edits and note in bold, was insufficiently clear, but that has been addressed.

The hijacking of clipboards by malicious SWF is proving to be a very popular topic:

http://www.trustedsource.org/blog/145/Rogue-Flash-ads-hijack-your-clipboard
http://news.bbc.co.uk/2/hi/technology/7567889.stm
http://www.theregister.co.uk/2008/08/15/webbased_clipboard_hijacking/
http://blogs.pcmag.com/securitywatch/2008/08/mac_users_get_clipboardjacked.php
http://blogs.zdnet.com/security/?p=1733
http://www.scmagazineus.com/Clipboards-hijacked-by-furtive-code/article/115503
http://www.sophos.com/security/blog/2008/08/1671.html?_log_from=rss

Somebody posted at ZDnet to claim that "Once again, NoScript saves our collective keesters!"  Sorry, but this is not true.  You can try it out for yourself.  Edit: you do, of course, need to have set NoScript to allow Flash to display by turning off the "Forbid Adobe Flash" option, or have otherwise allowed the Flash content to display.

Fire up Firefox with noscript, then go to this "proof of concept" URL:
http://raffon.net/research/flash/cb/test.html

Now, check your clipboard.  You will find that it is populated with an "evil.com" URL.  You will not be able to change that clipboard text until you close the raffon.net page in Firefox.

Some other points to pay particular attention to...

  1. Some users have pointed out that the malicious URL leads to Google.  This is standard operating procedure for malicious advertising campaigns that have not been 'activated' or that have been discovered and reported.  Changing the destination URL from Google to a fraudware domain (and back again) is a trivial thing for the bad guys, accomplished in minutes.
  2. Some users have recommended enabling the Internet Explorer setting that blocks programmatic access to the keyboard.  This will not work.  Blocking programmatic access to the keyboard only stops web sites from *reading* the clipboard; it does not stop them from *writing* to it.
  3. Some users have said that they are forced to reboot the computer to get rid of the clipboard problem.  This is not necessary.  Once you identify and close the web page that is hosting the malicious SWF you will regain control of the content of your clipboard.
  4. Some users are saying that it is no big deal because no malware is being installed on computers.  That may be so, but the trick *is* getting the URL on to web pages, and therefore in to Google and other web searches.  Viewers *will* click on the malicious link - not all of them, maybe not a lot of them, but some will click, and the bad guys will take any hits they can get.

So, what is the quickest and easiest way to avoid this problem?  Block Flash.

Note: NoScript was set to allow Flash and Silverlight to display (which is not the default setting, but is a setting that is more common than some would like to admit).   The raffon.net site is NOT a whitelisted site in NoScript, and the option to "temporarily allow" scripts on raffon.net was not selected, nor was any other "allow" option used.

Published Sat, Aug 16 2008 20:21 by sandi
Filed under: , , ,

Comments

# re: ALERT: Firefox with NoScript does NOT protect from SWF clipboard hijacks

Tuesday, August 19, 2008 7:40 PM by Angus S-F

Actually, if you don't trust raffon.net NoScript _does_ protect you, at least it protected me. See what happened when I went to the site in a virtual machine with Firefox+NoScript: imgfreehost.com/out.php

Here's my NoScript config WRT untrusted sites and flash:

imgfreehost.com/out.php

These settings are the default, except that I check the "Forbid iFrame" box for untrusted sites whenever I set up NoScript.

NOTE: images will only be readable for 60 days ...

# re: ALERT: Firefox with NoScript does NOT protect from SWF clipboard hijacks

Tuesday, August 19, 2008 10:26 PM by Jeff

Of course the proof of concept works, if you allow the site in NoScript.

In the case of the actual hijack, though, it is being spawned from a

third party advertiser (possibly quantserve/quantcast - their URL

shows up in many of the sites where the hijack is being reported),

and one which is likely to be marked untrusted anyway.

I have yet to see this hijack for myself on any of the sites where it

has occurred, probably because of my hosts file (I use the one from

Mike Burgess).

# re: ALERT: Firefox with NoScript does NOT protect from SWF clipboard hijacks

Wednesday, August 20, 2008 12:02 AM by sandi

@Jeff

I did *NOT* allow the site in NoScript.  The only non-default setting is that Flash and Silverlight are "allowed".

I had to specifically mark the raffon.net domain as "untrusted" for the test to fail when Flash is allowed to display.

# re: ALERT: Firefox with NoScript does NOT protect from SWF clipboard hijacks

Wednesday, August 20, 2008 12:48 AM by Lucian Constantin

While i fully appreciate you posts and i constantly read them, i must say this one i do not agree with. The title is a kind of a hook (it does not reflect the reality of the content), at least in my opinion.

NoScript blocks flash and silverlight by default. What more could it do since flash is basicly a .swf file which you either choose to run or not? I do not think you can allow just parts of it, with NoScript or anything else.

When you join a page with such ads they are usually served from third-party links (ad networks etc.) If the page contains flash you want to see you can choose to see only flash from the original link. Either way, people use NoScript to speed up browsing and not display ads.

The question is: can we really blame NoScript for user behavior? NoScript offers you the initial protection. If you choose otherwise it is not NoScript to blame but you in my opinion. If you choose to allow a particular flash script to run or all of them then it is you who is responsible for this decision and not NoScript.

It is like blaming an antivirus software because a user got infecting while having it installed but keeping it shut off. It's not fair. NoScript DOES protect against swf clipboard hijacks through it's default setting, it does not protect however against human decision.

# Firefox with NoScript DOES protect from SWF clipboard hijacks AND this article is ridicously deceiptive

Wednesday, August 20, 2008 3:08 AM by Giorgio Maone

NoScript blocks this *by default*.

If you tweaked it on purpose not to block it, it's your problem, not NoScript's.

ALERT: IE 7's "protected mode" on Vista does NOT protect from anything

POC:

1) Disable IE 7's protect mode

2) ...

# re: ALERT: Firefox with NoScript does NOT protect from SWF clipboard hijacks

Wednesday, August 20, 2008 5:00 AM by sandi

@Giorgio,

I did not "tweak it on purpose" and I will thank you for NOT accusing me of a deliberate deception.  I originally downloaded the product for its "no script" protection - the ability to block Flash or Silverlight was a secondary benefit that I did not want.  The option to enable Flash was turned on a long time ago and the change forgotten.

@Lucian,

Regarding your statement that people "use NoScript to speed up browsing and not display ads" I am sure that you will agree that those features are generally seen as a secondary benefit.  NoScript's primary purpose is seen as protecting from bad scripts when viewing web pages - "blocking script" is touted as a big benefit more than any other feature.  This is a very important point to remember when we consider public perceptions and assumptions.

@all,

I was prompted to write this article because I saw a comment where a person claimed that NoScript had not protected them against the clipboard hijack.  That person did not realise that NoScript would not block SWF ActionScript, and that is a concern because there is likely to be many, many, many people out there labouring under the same misapprehension.  Even the first commentator on this page claimed that I must have "allowed the site in No Script".

The general public who have been encouraged to install NoScript, and who are told that scripts will not run unless they specifically allow it, do NOT draw a distinction between javascript in a web site's source code and ActionScript within a SWF that is being displayed on that same web site.  To them, a script is a script is a script and if they are promised that scripts will not run unless they specifically allow it or have whitelisted the site, then that is what they will expect.  

It should be noted that the SWF clipboard hijack does not work if the site displaying the SWF is marked as Untrusted.  This is the opposite of what the general public expects.  They expect to be protected from all script that they may encounter at a web site unless they use the "allow" feature or whitelist a site.

Y'all can hide behind the "SWF are disabled by default" argument if you want, but as far as I am concerned you are missing the point.  That argument is cold comfort to those affected by the misunderstanding that triggered the article in the first place.

 

 

# re: ALERT: Firefox with NoScript does NOT protect from SWF clipboard hijacks

Wednesday, August 20, 2008 6:09 AM by Lucian Constantin

Sandi,

I am sorry if i offended you in any way by my comment. I did not intend that. I was just commenting the title of this article, which is kind of radical in my opinion. I do not feel a perfectly good software should be accused because of how it is used by the users. No security software can stand in front of user decision. No matter how much protection a software offers by default settings, if the user chooses to change the settings the level of security is likely to be reduced.

Now regarding the last comment, let's rewind for a bit, because I'm starting to get confused myself.

Within NoScript, SWF is considered "script" and is blocked by default on a website. There are a few actions a user can take here:

1. Click on a blocked SWF <object> in order to allow it to run. This will allow ONLY that SWF to run on the webpage and not all of them.

2. Add the website to the whitelist. This will result on all SWFs on that website to run, but ONLY hosted on that website. SWFs on the website that are called from other domains/links/locations will NOT run.

3. Go into NoScript options and disable blocking Flash from Plugins. This will allow all SWFs on any website to run. I do not see why users would do that, or the ones that do are fewer than the ones that don't.

Now regarding my statement that users use NoScript to block ads and increase browsing speed. That is indeed a secondary feature, but it is also a direct consequence of NoScript not running flash scripts by default. I do not think the vast majority of users are interested in seeing ads when they are browsing, so this option is most likely to stay on.

"I was prompted to write this article because I saw a comment where a person claimed that NoScript had not protected them against the clipboard hijack. That person did not realise that NoScript would not block SWF ActionScript," <-- It does block it by default. If SWF doesn't run the ActionScript doesn't get executed.

"The general public who have been encouraged to install NoScript, and who are told that scripts will not run unless they specifically allow it, do NOT draw a distinction between javascript in a web site's source code and ActionScript within a SWF that is being displayed on that same web site.  To them, a script is a script is a script and if they are promised that scripts will not run unless they specifically allow it or have whitelisted the site, then that is what they will expect." <-- No distinction needs to be drawn by the common user. Their expectation is correct. NoScript blocks SWF by default and will not run it except if specifically allowed. I don't see the lack of truth here.

"It should be noted that the SWF clipboard hijack does not work if the site displaying the SWF is marked as Untrusted.  This is the opposite of what the general public expects.  They expect to be protected from all script that they may encounter at a web site unless they use the "allow" feature or whitelist a site." <-- What they expect is what happens. When you open a new site it is by default considered untrusted and all scripts are blocked until you add it to the whitelist and as previously mentioned, you can hand-pick SWFs to allow one by one without adding the entire website to whitelist. There is no user-performed action necessary to block SWFs on a new website. It is done automatically.

I do not hide behind "SWF are disabled by default". I care for security and i care for affected users, but the way i see it NoScript delivers on it's promise by blocking SWF/Actionscript and thus protecting from this hijack. There is no additional action a user needs to take after installing NoScript. Also i consider that users that are likely to disable the default setting of Flash blocking are a minority and the majority of users leave this setting as it is.

Again, sorry if i offended in any way. I admire your work and efforts.

# re: ALERT: Firefox with NoScript does NOT protect from SWF clipboard hijacks

Wednesday, August 20, 2008 6:15 AM by Giorgio Maone

@sandy:

As far as I'm concerned, *you* are missing the point and, deliberately or not, being deceptive.

NoScript's headline says:

"this free, open source add-on allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank), and provides the most powerful Anti-XSS protection available in a browser. "

So Flash is disabled by default on unknown sites, and this is also clearly advertised as the right thing to do and an integral NoScript features.

Most users do not even know what ActionScript is, let alone imagining that NoScript will block it while Flash is allowed, and anyway the word "ActionScript" is never mentioned in NoScript's documentation or UI: NoScript users are encouraged to look at JavaScript, Java, Flash, Silverlight and other plugin content as equally dangerous "active" stuff, and NoScript coherently disables the whole by default.

You wrote 'Even the first commentator to this entry claimed that I must have "allowed the site in NoScript"', bu this just confirm my point: most users don't bother to change the default configuration, they just use the allow/forbid commands and, if you did too, you would be protected just as 99% of NoScript users.

Then, if you feel to be an "advanced user" and you go to change NoScript's options as you did, allowing Flash and Silverlight even if they're advertised as dangerous, you're supposed to know what you're doing and the risks you're taking (RTFM).

# re: ALERT: Firefox with NoScript does NOT protect from SWF clipboard hijacks

Wednesday, August 20, 2008 7:00 AM by Denis

sandi, you're being silly. Amateur user, who installs NoScript does not tweak security settings. If he does, well, who is at fault? He could as well disable NoScript at all.

You do not blame the security software for failing you, when you explicitly ask it to ignore the risk. It is like ignoring anti-virus popup "File you are trying to run contains a virus!"

# re: ALERT: Firefox with NoScript does NOT protect from SWF clipboard hijacks

Wednesday, August 20, 2008 7:50 AM by Peter du Toit

everyone - giorgio maone made noscript.  he is dishonest to not say that in comments.

giorgio - how do you know what users do? does noscript send reports if users change settings? that is spyware.

denis - amateur users are lazy.  they do not tweak settings they turn them off.  

sandi is right. some users do not understand & need warning.

noscript can be dangerous

aviv.raffon.net/.../SecurityQuotbestquotPractices.aspx

# re: ALERT: Firefox with NoScript does NOT protect from SWF clipboard hijacks

Wednesday, August 20, 2008 8:03 AM by Colin

The hijack did not work as claimed. Maybe it worked for you because you enabled ALL flash and silverlight (not that silverlight is important, I mean, only Microsoft uses it). I (and most people using NoScript) have them both blocked by default.

Hey! Hey! Guess what! You can't get viruses in Internet Explorer if you never use it. OMFG!

# re: ALERT: Firefox with NoScript does NOT ALWAYS protect from SWF clipboard hijacks

Wednesday, August 20, 2008 11:06 AM by Here come the fanboys.

The anti-Internet Explorer, pro Firefox fanboys need to take their mutual circle jerk back where it came from.

hackademix.net/.../alert-ie7s-protected-mode-does-not-protect-from-anything

Thank you to Peter du Toit for revealing Giorgo Maone has a vested interest in defending NoScript.  He is also biased against MVPs.  Two strikes against him.

Is the Denis here the same Denis who posted at hackdemix and who runs a web site that states "Microsoft Internet Explorer is dangerous, malicious and incompatible browser. Please consider switching to some other browser. You might want to read a good article about what’s wrong with Internet Explorer."?

Giorgo and Denis are biased.  They are anti IE, anti MVP and pro FF.  Do us all a favor and come back when you have learned to look at the world with both eyes instead of just one.

# Actually, no one knows what the users are doing.

Wednesday, August 20, 2008 11:32 AM by Matt

Look, no one knows if the users are disabling security.  If the user disables the security, then noscript can't protect them.  If the user keeps the security, then noscript will protect them.

Arguing that noscript *can't* or *won't* protect you is disingenuous and assumes that every user lowers the security.  The fact is that noscript *will* protect you *if you allow it to do so.*

A better headline and article would have been: Disabling noscript's Flash blocker will make FF users vulnerable.  That would be accurate.

Also, I haven't heard yet, is IE7 with default security settings secure from this?  Safari?  Opera?  We know that FF isn't without the help of noscript.  What about the others.

Anyone arguing that noscript users by and large leave the security alone are arguing from silence.  We don't know one way or the other.

# re: ALERT: Firefox with NoScript does NOT ALWAYS protect from SWF clipboard hijacks

Wednesday, August 20, 2008 11:40 AM by Jordan

Can everybody get over the personal attacks, the accusations of bias, and stick to the facts?  

The fact is, there is no "flaw" in NoScript.  It behaves exactly as it claims it does.  If you tweak its settings it to allow certain behavior, it does as it claims and /allows that behavior/.  Why should that be a surprise?

Sandi -- to be clear, what are you suggesting is broken or needs fixing?  Would you rather the option to globally allow Flash were not a user-configurable setting?  Are you asking for it to have a triple "are you sure" confirmation dialog with blinking warnings to try and prevent users from making that change and then forgetting about it?  

Trying to keep the user from shooting themselves in the foot is a noble goal, but will inevitably fail.  There's only so much you can do to protect users from themselves.

# re: ALERT: Firefox with NoScript does NOT protect from SWF clipboard hijacks

Wednesday, August 20, 2008 11:42 AM by Giorgio Maone

@"Here come the fanboys" & Peter du Toit:

do you really think that if I wanted to hide my "vested" interest in NoScript (BTW, do you know it's free and open source?) I would have posted both my full name and the http://hackademix.net URL? Brilliant!

Regarding my supposed "anti-MVP" bias, I was just reinforcing my confidence in this post (in its original unedited "NoScript does NOT protect" formulation) being a joke, hinting at the notorious humour of Microsoft people: "after all, its author is a MVP…", i.e. after all they've got to deal with flying chairs and "developers! developers!! developers!!!" ;)

@Peter du Toit:

aviv.raffon.net/CommentView,guid,4B4C3A69-03C7-42E8-A1B5-844A99427731.aspx

# re: ALERT: Firefox with NoScript does NOT ALWAYS protect from SWF clipboard hijacks

Wednesday, August 20, 2008 12:30 PM by Mr. Sender

FYI:

www.kriptopolis.org/noscript-no-sirve-segun-mvp-microsoft

Congratulations you'll be famous!!

# re: ALERT: Firefox with NoScript does NOT ALWAYS protect from SWF clipboard hijacks

Wednesday, August 20, 2008 5:10 PM by Unpartial Thinker

So sad to see fanboys from both sides coming and making such a terrible security assumptions/discussion...

NoScript can protect you of the SWF Clipboard hijacks.

UAC can protect you from executing malware on windows vista.

Did you see my point?

No?

Well, NoScript as UAC are preventive security measures that will ask the user to "grant execution" to certain applications or actions (in the case of noscript firefox embeded plugins).

So who is the blame?

if the user choose to give permission then is user-fault, not noscript neither uac.

Sandi nextime limit your comments to the "specific enviroment" you are testing, yes i agree that most of the malware is present on google (everybody trust in google )so noscript measures will be bypassed from his whitelist concept (itself) but this is not a new concept, people like  rsnake, sirdarckcat and several people have pointed this approach to bypass noscript, so it is well knowed.

Regards

# re: ALERT: Firefox with NoScript does NOT ALWAYS protect from SWF clipboard hijacks

Wednesday, August 20, 2008 6:18 PM by Luzbel

Hi Sandi,

Come on, everyone commit an error sometime, it's a wise action admit it and learn about it.

All add-in for firefox and IE7 doesn't change in any way the internal interpretation, execution and render of any flash objects or thrid-party web objects, this mean that will not prevent completely about malicious code or bug exploits. The bug it's in the Adobe Flash plugin, the noScript addin minimize the risk but not give a solution for it, this is all.

Regards,

Luzbel

# re: ALERT: Firefox with NoScript does NOT ALWAYS protect from SWF clipboard hijacks

Wednesday, August 20, 2008 6:38 PM by sandi

@all

Dozens of comments exhibiting various levels of vitriol have been submitted for moderation over the last few hours or so and which were no more than personal attacks - against me, against Microsoft, against IE, against MVPs - one person even went so far as to mention condoms and holes therein - we do not need such dialogue, thank you very much.

Such comments are no credit to the FF community and will NOT be approved for publication.

Sandi

# re: ALERT: Firefox with NoScript does NOT ALWAYS protect from SWF clipboard hijacks

Wednesday, August 20, 2008 8:10 PM by ks

It's sad how some people make fun of "Mozilla fanboys", even while being/praising MVPs, which is like a straightforward official MS fanboy badge (with some alledged credit to it, tbh).

Jokes aside, it's sad that a certified expert falls into such a gratuitous criticism to a piece of software that DOES in fact protect from SWF clipboard hijacks, unless told otherwise. NoScript blocks all SWF content (including ActionScript) unless the host domain is set in the whitelist actively, and also most likely conciously, by the user.

My humble opinion is that this post is mischievous, although not entirely uncertain. A better start would've been: "Certain settings in Firefox with NoScript MAY NOT protect you from SWF clipboard hijacks".

Keep up the war against malware, never the less!

# re: ALERT: Firefox with NoScript does NOT ALWAYS protect from SWF clipboard hijacks

Thursday, August 21, 2008 12:40 AM by DuenD

To Unpartial Thinker:

I think that you are wrong:

UAC can be avoided WITHOUT user intervention, so it's defective.

On the other hand, NoScript protects you if you have it configured right. Of course, is like any anitivirus or firewall: if you disable it, then no longer protects you.

Nobody says that UAC is defective because you can disable it: it's defective because can be avoided by malware even when it's disabled.

Dear Sandi: I't human to be wrong, but it's more human to insist on error.

# re: ALERT: Firefox with NoScript does NOT ALWAYS protect from SWF clipboard hijacks

Thursday, August 21, 2008 1:05 AM by DuenD

Sorry:

I really want to say that UAC is defective because can be avoided by malware even when it's ENABLED.

# re: ALERT: Firefox with NoScript does NOT ALWAYS protect from SWF clipboard hijacks

Thursday, August 21, 2008 2:29 AM by sandi

@DuenD

How ironic, the tables are turned.  I am now going to claim a defence for UAC that is similar to that claimed for NoScript...

UAC was mis-marketed, leading to widespread misunderstanding and misaligned expectations, and the fall-out of that mis-marketing has been a thorn in our proverbial sides ever since Vista was in beta.  People do not properly understand UAC, just like some people do not properly understand NoScript.

I am channelling Mark Russinovich and a gentleman that I dare to claim as a friend, Jesper Johansson, when I remind everybody that the collection of features that make up UAC are not meant to be a malware-blocking security boundary.

I think Jesper explains it best.  He writes:

"While it is correct to claim that a goal of UAC was to provide some level of protection for apps running as an admin from those that were not, that was not by any means the primary purpose of UAC. The primary purpose was to start us on a path where more users run as standard user, which in turn would force developers to write more programs that work as a standard user, reducing the number of situations where users need to elevate. As developers write more UAC-compliant apps, the number of prompts the user gets goes down and the user experience gets better. In the process, ideally we end up in a situation where most people do not run as administrators and, hopefully, they start questioning some of the elevation prompts they do get. The fewer the prompts, the more likely users are to consider them carefully before allowing them. Or so the theory goes. By extension, yes, there may be less malware, but that will depend on whether users keep UAC enabled, which depends on whether developers write software that works with it and that users stop viewing prompts as fast-clicking exercises and actually consider whether an elevation request is legitimate."

Source: technet.microsoft.com/.../cc137811.aspx

Ok, so how does Mark Russinovich describe UAC?

"UAC is meant to enable users to run with standard user rights, as opposed to administrative rights. Administrative rights give users the ability to read and modify any part of the operating system, including the code and data of other users—and even Windows itself. Without administrative rights users cannot accidentally (or deliberately) modify system settings, malware can’t alter system security settings or disable antivirus software, and users can’t compromise the sensitive information of other users on shared computers. Running with standard user rights can therefore reduce urgent help desk calls in corporate environments, mitigate the impact of malware, keep home computers running more smoothly, and protect sensitive data on shared computers."

Source: technet.microsoft.com/.../cc138019.aspx

I do wonder what, considering all the above, MS should have done differently with UAC (apart from getting their marketing message correct from the very beginning).  As OS and browser security has improved across the board social engineering trickery has gained in prominence and importance and effectiveness.  Users will always throw caution to the wind in order to see what Edward Felten and Gary McGraw (and Jesper and Steve Riley) famously describe as "dancing pigs" and it has become obvious that the only guaranteed protection from malware is, basically, to take away a user's right to decide what they do or do not want to run on their systems - for the computer to throw up its binaries hands and refuse to run a piece of code.

Education is of vital importance.  Software defenders need to get over the "its their fault because its safe by default" and "only idiots would change Program X's settings" excuses because, guess what, the vast majority of users are not idiots (and I have no patience with people who call users idiots, or who treat users as such).  Users are inexperienced, and they are untrained, but they are not unintelligent.  Users turn UAC off because they don't like the prompts (or the person who sold them the PC turns it off or sets it to silently elevate to avoid support costs).  Users temporarily allow Flash because they are curious and want to see has been hidden and/or because they "trust" the web site, or they turn Forbid Flash off because the nice boy down the road installed Firefox and NoScript for them, but they don't understand it, its all too hard, and they are sick of not being able to see stuff without clicking.

# re: ALERT: Firefox with NoScript does NOT ALWAYS protect from SWF clipboard hijacks

Thursday, August 21, 2008 3:55 AM by DuenD

Dear Sandi,

Turning again to the original point: is NoScript less secure because you can disable some functions in it? I don't think so. I also think the same for Microsoft's UAC.

Of course that the human factor is always the weaker point of security, may be for inexperience or whatever, i think that this is why the default options a so important.

Apart that NoScript and UAC are for different purposes, I think that one does its work right, and the other one no. At least until some one figures how to run a SWF file with NoScript blocking option turned on.

When that happen, I will change my mind, but, right now I think that is a very strong and secure application.

It would be desirable that there exists some option that allow users run flash content while avoiding the clipboard hijacking problem, of course, but that may be impossible without modifying the flash viewer (I don't know for sure), and, if so, laws from USA (DMCA I think) forbids that.

It may be an interesting test if the same problem happen with gnash (the gnu flash viewer).

# re: ALERT: Firefox with NoScript does NOT ALWAYS protect from SWF clipboard hijacks

Thursday, August 21, 2008 7:34 AM by sandi

@DuenD,

Y'know, I never actually said that NoScript is a bad application, or insecure.  All I ever wanted to do was alert those users of NoScript, such as the user who inspired my article in the first place and who (erroneously) believed that he should be protected from things like the clipboard attack when viewing a non-approved/non-whitelisted/non-untrusted site even if he turns off Forbid Flash, that they are not protected from things like the clipboard attack if the SWF is displayed.  Such users, who are not technically savy enough to understand the distinction between script *on a page* and script via SWF *do* exist and need to be set straight WITHOUT being called idiots or being told that its all their own fault.

Yes my article should have been more clear from the start ... I have done what I think is necessary to clarify the article... but jeez I wish some people would get off the "it is secure by default and if you change things you're an idiot and whatever happens is your own fault" soapboax and start looking at things from the unsophisticated end user's perspective - I wish they would stop beating less sophisticated users over the head with a 2x4, start teaching, stop flaming, and stop blaming users and calling them idiots.

You may not know this (I am betting that none of the flamers who suddenly appeared on this blog knew it either), but I wrote an article a while ago in which I called Flash "the Typhoid Mary of the Internet", not only because it is being misused so often, but most importantly because there is no way for the end user to control the functionality that is being abused by the criminals without blocking Flash completely.  

I would be the first to shout it from the rooftops and lead the round of applause if NoScript could make it possible to display Flash and avoid the bad guys.

# re: ALERT: Firefox with NoScript does NOT ALWAYS protect from SWF clipboard hijacks

Friday, August 22, 2008 1:41 PM by bob

NoScript is not blocking the attack because you explicitly disabled the blocking mechanism. So of course you are now vulnerable to the attack.