Windows Clipboard data is at risk when using IE to surf the web. Unless an organization modifies default IE security settings for versions 4 thru 6, information copied to the Windows clipboard can be easily retrieved by an unscrupulous webmaster.
A demonstration of this “feature” is provided at scriptmagic.com. When I first visited this site, my clipboard was empty. Not to be deterred from discovering just how vulnerable my IE 6 implementation system is, I followed the instructions and copied information to my clipboard. The results appear below:
I typed the text shown in the red box into Microsoft Word. Once I selected and copied the sentence into my clipboard, it immediately appeared on the web site.
By default, IE 7 asks the user if she wants to honor the web site request for the contents of the clipboard. At least that's what's supposed to happen. My IE 7 installation locked. Opera and Firefox don't give up your clipboard information without your knowledge.
Microsoft does provide instructions in Article 224993 for either turning off the transparent retrieval or prompting the user when a request for the clipboard information is made. Be sure to properly configure the Allow paste operations via script security settings in IE to protect data leaks due to normal system operation. Organizations with hundreds or thousands of IE users are at significant risk of leaking bits and pieces of ePHI, PII, or intellectual property.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.