Malicious SWF copying data to computer clipboards... the discussions continue
For those of you interested, there has been a test page set up at this URL - the test page uses an SWF file to copy a URL to a computer's clipboard. You'll need to close the browser window to regain control of your clipboard's contents:
I should point out that I am seeing some misinformation out there about what can be done to avoid the problem. For example, there is this comment by somebody at The Register - he says "Why not just tell IE not to allow access to the clipboard - it's just a tickbox. I do it on any IE setup since browsers and webpages have no right to my clipboard. Mine's the one with 'SMUG' pasted on the back"
The option that Adrian refers to is this one - "Allow Programmatic clipboard access" (note, in earlier versions of IE the option was described as "Allow paste operation via script").
As you can see, my system is set to "prompt". When I access the above test URL content is silently copied to my clipboard, and this is to be expected. Why? The option highlighted is to prevent web pages from accessing (reading) clipboard content. In other words, it is to stop web pages from COPYING information from the clipboard. It does not stop data from being written to the clipboard.
If the highlighted option is set to "prompt" then you will see this dialogue box if a web page tries to access the clipboard:
I have also seen a suggestion that disabling the clipbook service (known as the clipboard service in older operating systems) will avoid the problem - I suspect that that won't work either. Firstly, the clipbook service doesn't exist in Vista. Secondly, I am pretty sure that the service is disabled by default once you install XPSP2 or XPSP3. Thirdly, clipbook/clipboard is used to view and share clipboard contents. I don't think it is the actual service that creates the ability to copy and paste per se.
To be honest I am not sure if it is possible to disable the clipboard so that IE can't write to it - if anybody knows how, please feel free to leave a comment. Yes, I am aware that we can run Firefox with NoScript installed and running, and we can use adblockers, and that we can disable scripting and whatnot in IE, but I would prefer it if we could avoid the problem *without* breaking web sites (and I've already stated my opinion on the wholesale blocking of advertising - I am against it).