Since Microsoft Internet Explorer (“IE”) version 5.0, there has been a way to read and set the users clipboard text from script, by default, and with no prompting. This can be handy for web-based applications to do so, but can be used in a malicious way to steal the clipboard contents if the option is not changed.
It is easily possible to monitor the contents of the clipboard, and send it to a remote server-side script for processing. The remote script could then save the clipboard text in a database, or e-mail it to the evil overlord script creator. By itself this doesn’t cause much harm, but users can often copy sensitive information to the clipboard – e-mails, addresses, passwords, pictures – just about anything, which could then fall into the wrong hands.
New security related updates for Windows Internet Explorer 7 include a change in the default security settings for script access to the Clipboard. Pages that use script to access the clipboard will behave differently. Sites using script to access the Clipboard in the Internet and Trusted sites zones will see a prompt that informs the user that their Clipboard is being accessed by script (Figure 1). The prompt requires user intervention to continue. This is designed to prevent the risk, even if remote, of information disclosure through script access to the clipboard. An example exploit can be created by using script on a page to read and retrieve the current contents of your clipboard that may not be intended for that page. Past mention of potential exploits for this feature can be found on the CVE Web site.
For a detailed explanation as to why IE7 changed this default behaviour, click here.
How to Minimize the Compatibility Impact by Using Internet options
To work around this security control feature, start Internet Explorer 7. Click Tools, and then click Internet Options. Click the Security tab, and Internet, and then click Custom Level. Under Scripting, click Enable for Allow Programmatic clipboard access .
Since Microsoft does not recommend this workaround because sensitive information on your Clipboard such as your passwords can be disclosed, a more secure alternative could be making this change for Trusted sites only. To do this, start Internet Explorer 7. Click Tools, and then click Internet Options. Click the Security tab, and Trusted sites, and then click Custom Level. Under Scripting, click Enable for Allow Programmatic clipboard access .