Bug 454068

Summary: Unsigned Applet intercepts bypassing clipboard data
Product: [Other] Security Response Reporter: Marc Schoenefeld <mschoene>
Component: vulnerabilityAssignee: Rodney Russ <rruss>
Status: CLOSED DUPLICATE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-15 07:12:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Marc Schoenefeld 2008-07-04 10:01:03 UTC
It was discovered that the JRE provides unsigned applets with more meta data
than necessary when forwarding native mouse dragging events to the JRE objects
that visualize and manage applets. So even when the mouse moves over the canvas
of an applet, the embedded clipboard can be accessed. This means that it is not
necessary to drop, moving over the applet if sufficient to spy the data. Even by
unsigned applets.  
As a proof of concept we developed a demo applet that intercepts some graphics
format (JPG, PNG) and also Openoffice (we access the RTF representation and
embedded png files for demo purposes, but the entire ZIP container is accessible). 
Due to it's platform-independency this technique works on all Java-enabled
architectures, the embedded parser just needs to recognize the MIME-types that
are passed to it.

Comment 4 Tomas Hoger 2011-06-15 07:12:52 UTC

*** This bug has been marked as a duplicate of bug 575756 ***