Adobe Flash and clipboard attacks – changes on the way

Adobe have blogged about changes being made to Flash to address various security issues, including the Flash clipboard attacks that received so much press attention not that long ago.

Blog article here:
http://blogs.adobe.com/psirt/2008/09/clipboard_attack_update.html

Devnet article:
http://www.adobe.com/devnet/flashplayer/articles/fplayer10_security_changes.html

The changes:

In Flash Player 9, ActionScript could perform uploads and downloads at any time. With Flash Player 10 beta, the FileReference.browse and FileReference.download operations may be initiated only through ActionScript that originates from user interaction. This includes actions such as clicking the mouse or pressing the keyboard.

In Flash Player 9, ActionScript could set data on the system Clipboard at any time. With Flash Player 10 beta, the System.setClipboard() method may be successfully called only through ActionScript that originates from user interaction. This includes actions such as clicking the mouse or using the keyboard. This user interaction requirement also applies to the new ActionScript 3.0 Clipboard.generalClipboard.setData() and Clipboard.generalClipboard.setDataHandler() methods.

New to Flash 10:  In Flash Player 9, the system Clipboard could not be read at any time. With Flash Player 10 beta, the new ActionScript 3.0 method Clipboard.generalClipboard.getData() may be used to read the contents of the system Clipboard, but only when it is called from within an event handler processing a flash.events.Event.PASTE event.

Tightening of cross-domain policies – meta-policy default changed from “all” to “master-only”.

It will be very interesting to see how this affecting the world of malvertizing.