Clipboard security problem

R

rob

I was amazed to see that ZoneAlarm had obtained my clipboard's current
contents when running the free ZoneAlarm Anonymizer Privacy Test from:
http://www.anonymizer.com/privacytest/2.0/privacytest.cgi?test=2

I am running WindowsXP SP2 Professional with no problems on a network of
three PCs, have a fixed IP on broadband (shared through a router) and am
using the free ZoneAlarm version 4.5.538.001 on all PCs instead of the
Microsoft firewall.

After seeing my clipboard's contents from ZoneAlarm, I confirmed that my
Remote Desktop was still disabled and then enabled "Do Not Allow Clipboard
Redirection" policy via gpedit.msc.

To my surprise this made no difference - can anybody out there please let me
know how this serious security problem can be resolved from within Windows
XP SP2.

Many thanks, Rob
 
W

Wesley Vogel

Start | Run | Type: inetcpl.cpl | OK |
Or...
Tools | Internet Options from within Internet Explorer |
Security tab | Custom Level button |
Scroll down almost to the bottom to:
Scripting
Allow paste operations via script
Set to:
Disable
or
Prompt
OK | Apply | OK

[[Specifies how you want to handle potentially risky actions, files,
programs, or downloads. Select one of the following:
To be prompted for approval before proceeding, click Prompt.
To skip prompting and automatically refuse the action or download, click
Disable.
To automatically proceed without prompting, click Enable.
Note: Some options do not provide a Prompt setting. Also, these options do
not apply to FTP folders.]]
 
R

rob

Many thanks for your advice. Unfortunately, if I disable Scripting etc it
will effect Internet Banking etc. I cannot understand why 'Clipboard' has
anything to do with Internet Explorer, surely Microsoft should have
protected access to 'Clipboard' from outside one's system since this seems
to me to be a serious security problem? As a matter of interest, would the
Microsoft Firewall, rather than the free ZoneAlarm firewall, stop this?
Thanks again for your help - Rob
 
M

Mark L. Ferguson

When Wes sent you to the "Custom Level" button, he was making the fair
assumption that the "Internet Zone" icon was highlighted when you clicked
it. (highlighted by default). This makes the Security setting for the
Internet pages.
There is no reason why you could not maintain your preferred secure status
in that zone, and add the Banking site to the "Trusted sites" zone, and set
the Custom Level there, to use what you find necessary for access. One
caveat for your needs is that the site must be a secure page ('https://'
instead of 'http://'). I think that would be true on any banking page that
needed scripting.
 
W

Wesley Vogel

Rob,

In addition to what Mark stated.

So, set
Allow paste operations via script
to Prompt and you'll get to see this popup:

Internet Explorer
Do you want to allow this page to paste information from your clipboard?
[Yes] [No]

Many, many times at your test page.

No, firewall has nothing to do with it.

How to Prevent Web Sites From Obtaining Access to the Contents of Your
Windows Clipboard
http://support.microsoft.com/default.aspx?scid=kb;en-us;224993


--
Hope this helps. Let us know.
Wes

In
rob said:
Many thanks for your advice. Unfortunately, if I disable Scripting
etc it will effect Internet Banking etc. I cannot understand why
'Clipboard' has anything to do with Internet Explorer, surely
Microsoft should have protected access to 'Clipboard' from outside
one's system since this seems to me to be a serious security problem?
As a matter of interest, would the Microsoft Firewall, rather than
the free ZoneAlarm firewall, stop this? Thanks again for your help -
Rob

Wesley Vogel said:
Start | Run | Type: inetcpl.cpl | OK |
Or...
Tools | Internet Options from within Internet Explorer |
Security tab | Custom Level button |
Scroll down almost to the bottom to:
Scripting
Allow paste operations via script
Set to:
Disable
or
Prompt
OK | Apply | OK

[[Specifies how you want to handle potentially risky actions, files,
programs, or downloads. Select one of the following:
To be prompted for approval before proceeding, click Prompt.
To skip prompting and automatically refuse the action or download,
click Disable.
To automatically proceed without prompting, click Enable.
Note: Some options do not provide a Prompt setting. Also, these
options do
not apply to FTP folders.]]
Click to expand...
Click to expand...
 
R

rob

Many, many thanks to all for your help - it is great to see the
test software fail.

I am surprised that this is not a default setting, since I cannot see a
scenario when web access to 'clipboard' would be a requirement.

Rob

Wesley Vogel said:
Rob,

In addition to what Mark stated.

So, set
Allow paste operations via script
to Prompt and you'll get to see this popup:

Internet Explorer
Do you want to allow this page to paste information from your clipboard?
[Yes] [No]

Many, many times at your test page.

No, firewall has nothing to do with it.

How to Prevent Web Sites From Obtaining Access to the Contents of Your
Windows Clipboard
http://support.microsoft.com/default.aspx?scid=kb;en-us;224993


--
Hope this helps. Let us know.
Wes

In
rob said:
Many thanks for your advice. Unfortunately, if I disable Scripting
etc it will effect Internet Banking etc. I cannot understand why
'Clipboard' has anything to do with Internet Explorer, surely
Microsoft should have protected access to 'Clipboard' from outside
one's system since this seems to me to be a serious security problem?
As a matter of interest, would the Microsoft Firewall, rather than
the free ZoneAlarm firewall, stop this? Thanks again for your help -
Rob

Wesley Vogel said:
Start | Run | Type: inetcpl.cpl | OK |
Or...
Tools | Internet Options from within Internet Explorer |
Security tab | Custom Level button |
Scroll down almost to the bottom to:
Scripting
Allow paste operations via script
Set to:
Disable
or
Prompt
OK | Apply | OK

[[Specifies how you want to handle potentially risky actions, files,
programs, or downloads. Select one of the following:
To be prompted for approval before proceeding, click Prompt.
To skip prompting and automatically refuse the action or download,
click Disable.
To automatically proceed without prompting, click Enable.
Note: Some options do not provide a Prompt setting. Also, these
options do
not apply to FTP folders.]]
Click to expand...
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Upgrade breaks Office Clipboard workflow? 1
Problems with clipboard : system.runtime.interopservices : The requested clipboard operation failed 0
Problem with clipboard 2
Requested clipboard operation did not succeed 3
Clipboard Problems in RDP 2
Access 2007 Copy - Paste 1
Concerning security questions about my WinXP SP2 & Anti-Virus 1
Get bitmap from clipboard problem 1

Top