ALERT: Firefox with NoScript does NOT ALWAYS protect from SWF clipboard hijacks
Topic subjected edited to add the word "always". I stand by my statement that there are users out there who believe that "NoScript" will protect them from incidents like the clipboard hijack, even when they have disabled "Forbid Flash", and need to be told that this is not so. Perhaps my original article, without the edits and note in bold, was insufficiently clear, but that has been addressed.
The hijacking of clipboards by malicious SWF is proving to be a very popular topic:
Somebody posted at ZDnet to claim that "Once again, NoScript saves our collective keesters!" Sorry, but this is not true. You can try it out for yourself. Edit: you do, of course, need to have set NoScript to allow Flash to display by turning off the "Forbid Adobe Flash" option, or have otherwise allowed the Flash content to display.
Fire up Firefox with noscript, then go to this "proof of concept" URL:
Now, check your clipboard. You will find that it is populated with an "evil.com" URL. You will not be able to change that clipboard text until you close the raffon.net page in Firefox.
Some other points to pay particular attention to...
- Some users have pointed out that the malicious URL leads to Google. This is standard operating procedure for malicious advertising campaigns that have not been 'activated' or that have been discovered and reported. Changing the destination URL from Google to a fraudware domain (and back again) is a trivial thing for the bad guys, accomplished in minutes.
- Some users have recommended enabling the Internet Explorer setting that blocks programmatic access to the keyboard. This will not work. Blocking programmatic access to the keyboard only stops web sites from *reading* the clipboard; it does not stop them from *writing* to it.
- Some users have said that they are forced to reboot the computer to get rid of the clipboard problem. This is not necessary. Once you identify and close the web page that is hosting the malicious SWF you will regain control of the content of your clipboard.
- Some users are saying that it is no big deal because no malware is being installed on computers. That may be so, but the trick *is* getting the URL on to web pages, and therefore in to Google and other web searches. Viewers *will* click on the malicious link - not all of them, maybe not a lot of them, but some will click, and the bad guys will take any hits they can get.
So, what is the quickest and easiest way to avoid this problem? Block Flash.
Note: NoScript was set to allow Flash and Silverlight to display (which is not the default setting, but is a setting that is more common than some would like to admit). The raffon.net site is NOT a whitelisted site in NoScript, and the option to "temporarily allow" scripts on raffon.net was not selected, nor was any other "allow" option used.