For some time, ChemWriter has made it possible to paste chemical structures from the system clipboard. This feature eliminates the need for chemists to re-draw structures. Although transparent to the end user, reading binary structure data from the system clipboard requires a somewhat complex array of interconnected technologies behind the scenes. One of these technologies is the Java Plugin.
How (and Why) ChemWriter Uses the Java Plugin
Paste from system clipboard is an opt-in feature. If the developer so chooses, it can be disabled without any ill effects. Unfortunately, it has become necessary to discourage further use of the paste from system clipboard feature. Pasting a molfile (as text) into the ChemWriter window will continue to be supported.
Java Plugin Sandbox Compromised
Java Applets running via the Java Plugin have been capable of accessing operating system resources such as hard drives, other devices, and the system clipboard for some time. Preventing them from doing so is the so-called security 'sandbox'. Any applet attempting to cross the sandbox boundary requires a digital signature and explicit user approval.
However, two recently-reported exploits (link, link) circumvent this restriction altogether, granting unsigned applets the ability to execute arbitrary code - without end-user notification.
Anyone responsible for the security of an organization's computer network should be concerned by these reports.
Oracle's slow and muted response to both reports, and end users' (understandable) reluctance to update Java versions does not bode well for Java on the browser going forward.
Two security-related releases have since been made by Oracle, however the continued threat from exploits using a similar attack route remains unclear.
Internet Explorer Crashes on Pasting from System Clipboard Under Some Configurations
Over the summer we received reports of browser crashes when invoking ChemWriter's paste from clipboard functionality. In some cases the behavior only appeared after 10-20 paste attempts. In other cases, the behavior appeared after a single attempt. After testing many combinations of browser, Java Plugin version, and operating system version, it was found that:
- Only Internet Explorer was susceptible to crash.
- IE 6/7/8 running Java Plugin 5u22 (last release in the 5 family) did not crash.
- IE 6/7/8 running Java Plugin 6u16 (released August 11, 2009) did not crash.
- IE 6/7/8 running Java Plugin 6u26 (released June 7, 2011) crashed.
- IE 9 running Java Plugin 6u16 crashed.
- IE 9 running Java Plugin 6u37 (released October 16, 2012) crashed.
- IE 9 crashed with the message "Internet explorer has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available."
- EI 6-9 did not crash when using Java Plugin 7u5.
The exact Java 6 revision (between 6u16 and 6u26) introducing the crash behavior has not been pinpointed.
To summarize, it is currently not possible to run the still-popular Java 6 plugin revisions containing security updates without producing a browser crash on pasting from the clipboard.
Given the nature of the newly-disclosed Java Plugin security exploits and ongoing stability issues, ChemWriter's clipboard paste functionality will likely be removed altogether in a future release. Those currently using this feature are encouraged to find an alternative.
Chemists routinely create chemical structures using desktop software and then save these structures by embedding them in Word or PowerPoint documents. Forcing them to re-draw these structures simply because they're using a browser-based structure editor makes no sense.
As a result, alternate plugin-free methods to replace the current paste from system clipboard feature are currently being evaluated.