Back when Windows NT was king, Microsoft was able to claim that it met the strict “Orange Book” C2 security certification. The catch? Don’t install networking and remove the floppy drives. Turns out most of the things you want to do with your computer are the very things that are a security risk. Even copy and paste.
[Michal Benkowki] has a good summary of his research which boils down to the following attack scenario:
- Visit a malicious site.
- Copy something to the clipboard which allows the site to put in a dangerous payload.
- Visit another site with a browser-based visual editor (e.g., Gmail or WordPress)
- Paste the clipboard into the editor.