I just connected to my win2k server via VNC and opened MS Word. The clipboard side panel was visible (the utility in Office that gives you access to your last 24 cut or copy operations) and I was surprised to see text from my client machine's clipboard history displayed in that panel.
The text came from various apps I had been using on the client including chat, email, word & excel and it included some sensitive and confidential information that had never been pasted into the server. The win2k server is a general test machine and is accessed by others. It is worrying that this data found its way onto the server without me knowing about it and was displayed on the screen for all to see. Is this expected behaviour? It seems a major security issue to me. I'm afraid I have stumbled into this during a busy period and haven't had time to go through the vnc docs/search google in detail so sorry if it has been covered already. I thought I should at least raise it to the group for comment. I am running a win2k server with vnc server free edition and a vista home basic client with the free edition viewer. Both are v4.1.2. I have Office 2007 on the client and Office 2003 on the server (the options on both of these should be pretty much default). The 'send clipboard changes to server' and 'pass special keys directly to server' options were set on my vnc client. Does anyone know how I can prevent this from happening in future? I would rather not turn off 'send clipboard changes to server' and 'pass special keys to server' because I'm doing quite a bit of editing on the server. Maybe it is possible to prevent this by turning the keyboard history off in Windows or Office??? I'll also need to look at how to remove the text that has already found its way onto the server...guess it could now be cached in various different places (e.g. Word, Office, Windows system, Google desktop etc.). Are there any opinions on whether this can or should be fixed? I haven't thought it through too much but it would seem better to only send a single clipboard item (the latest cut/copy) from the client to the server and to only do this when paste or ctrl-v is actually pressed on the server. This would ensure that clipboard contents were only transferred when the user intended them to be. The current implementation seems to send 'old' clipboard items too and I'm not sure if it does this when pasting or when the user simply connects to the server. I can see how sending the whole clipboard history of the client might be desirable for some but it should probably be a non-default setting at most and a clear warning should be displayed when enabling it. Also, should anything be done in the short term to make users aware of this? Perhaps an entry could be put in the FAQ (if it is not there already!). Cheers, Steve. _______________________________________________ VNC-List mailing list [email protected] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
