By Jake Edge
October 29, 2008
It has become increasingly difficult to use the web without some kind of
Flash player, but a little-known "feature" of Flash is causing some privacy
concerns. In some ways, Local Shared
Objects (LSOs aka Flash cookies) are similar to browser cookies, but
there are a number of significant differences as well.
In addition, because the dominant Flash player is closed-source, one must
depend on Adobe's ability to faithfully implement the security model. In
all, Flash cookies are something that web users should be cognizant of.
At its core, an LSO is a chunk of data that is stored on a user's disk
based on the domain that the Flash program was downloaded from. Only Flash
programs from that domain should have access to the data and, unlike
browser cookies, much more data can be stored. By default, 100K bytes can
be used per domain, which is a sizable increase from the 4K available for
browser cookies. The amount of storage for a Flash cookie can be increased
with the assent of the user, or decreased via the management interface.
Another major difference from the now-familiar browser cookies is that the
interface for managing them is less-than-obvious. From a given Flash
application, there is a "Settings" menu that allows control of the LSOs
from that site. To see the sites that have stored Flash cookies or to have
more global control over them, one must visit Adobe's site.
There are also third-party applications and browser add-ons that will allow
more control. A user can also resort to the ultimate control—removing
them from the filesystem (~/.macromedia/Flash_Player/#SharedObjects).
There are many benign things that a Flash application might do with a bit
of local storage—caching data, storing preferences, etc.—but
they can also be used to track users in much the same way that browser
cookies are used. Because Flash cookies are less well-known, and harder to
manage, though, they may be more effective because they are removed or
restricted less often.
Another important thing to note is that there is no requirement that there
be a visible Flash application on the web site. A site could embed a Flash
application with no visible elements simply to store a cookie. Unless the
user has a browser add-on like NoScript,
they will get no indication that anything has happened.
Assuming that there aren't any holes in Adobe's implementation of the Flash
security model, Flash cookies aren't much different—or more
dangerous—than browser cookies. But that assumption is a bit
worrisome. For Firefox or other free software browsers, the code can be
inspected to verify correct behavior. Either Flash or Firefox could have
some flaw
that allowed cross-site cookie access (which would be a rather nasty
information disclosure vulnerability), but for Flash, we can only take
Adobe's word.
Privacy advocates have been successful in getting the idea of deleting
browser cookies
into the consciousness of concerned users, but Flash cookies seem to have
flown below the radar. A recent blog
posting that was widely reported has helped to raise the profile of
Flash cookies so that users will, hopefully, know that they exist. Those
with a desire to strictly control their privacy will be better able to do
so. With
luck, it may also lead Adobe to provide an easier and more visible
interface to manage them
as well.
Comments (6 posted)
New vulnerabilities
cman: insecure temp file
| Package(s): | cman |
CVE #(s): | CVE-2008-4192
|
| Created: | October 23, 2008 |
Updated: | February 16, 2011 |
| Description: |
cman has an insecure temp file vulnerability. From the Red Hat
bug report:
A malicious user could precreate a symlink, pointing to the file /tmp/eglog,
Subsequent run of the '/sbin/egenera' command would destroy / truncate the
target of this link to zero length.
|
| Alerts: |
|
Comments (none posted)
cman: insecure temp file
| Package(s): | cman |
CVE #(s): | CVE-2008-4579
|
| Created: | October 23, 2008 |
Updated: | February 16, 2011 |
| Description: |
cman has an insecure temp file vulnerability. From the Red Hat
bug report:
The fence_apc and fence_apc_snmp programs, as used in
fence 2.02.00-r1 and possibly cman, when running in verbose mode,
allows local users to append to arbitrary files via a symlink attack
on the apclog temporary file. |
| Alerts: |
|
Comments (none posted)
emacs: arbitrary code execution
| Package(s): | emacs |
CVE #(s): | CVE-2008-3949
|
| Created: | October 28, 2008 |
Updated: | February 24, 2009 |
| Description: |
From the CVE entry: Emacs 22.1 and 22.2 imports Python script from the current working directory during editing of a Python file, which allows local users to execute arbitrary code via a Trojan horse Python file. |
| Alerts: |
|
Comments (none posted)
flash-plugin: several vulnerabilities
| Package(s): | flash-plugin |
CVE #(s): | CVE-2008-3873
CVE-2008-4401
CVE-2008-4503
|
| Created: | October 28, 2008 |
Updated: | November 14, 2008 |
| Description: |
From the Red Hat advisory:
A flaw was found in the way Adobe Flash Player wrote content to the
clipboard. A malicious SWF file could populate the clipboard with a URL
that could cause the user to mistakenly load an attacker-controlled URL.
(CVE-2008-3873)
A flaw was found which allowed Adobe Flash Player's ActionScript to
initiate file uploads and downloads without user interaction.
FileReference.browse and FileReference.download calls can now only be
initiated via user interaction, such as mouse-clicks or key-presses on the
keyboard. (CVE-2008-4401)
A flaw was found in Adobe Flash Player's display of the Settings Manager
content. A malicious SWF file could trick the user into unknowingly
clicking a link or dialog. This could then give the malicious SWF file
permission to access the local machine's camera or microphone.
(CVE-2008-4503)
|
| Alerts: |
|
Comments (none posted)
kernel: restriction bypass
| Package(s): | kernel |
CVE #(s): | CVE-2008-4554
|
| Created: | October 23, 2008 |
Updated: | June 8, 2009 |
| Description: |
The kernel has a restriction bypass vulnerability.
From the Red Hat
bug report:
Miklos Szeredi reported that splice() to files opened with O_APPEND are
ignored, which allows users to bypass the append-only restriction. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2008-4410
|
| Created: | October 23, 2008 |
Updated: | October 29, 2008 |
| Description: |
The kernel has a denial of service vulnerability. From the
CVE description:
The vmi_write_ldt_entry function in arch/x86/kernel/vmi_32.c in the Virtual Machine Interface (VMI) in the Linux kernel 2.6.26.5 invokes write_idt_entry where write_ldt_entry was intended, which allows local users to cause a denial of service (persistent application failure) via crafted function calls, related to the Java Runtime Environment (JRE) experiencing improper LDT selector state, a different vulnerability than CVE-2008-3247. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2008-3911
CVE-2008-4618
|
| Created: | October 27, 2008 |
Updated: | January 22, 2009 |
| Description: |
From the SUSE advisory:
CVE-2008-3911: The proc_do_xprt function in net/sunrpc/sysctl.c in
the Linux kernel 2.6.26.3 does not check the length of a certain
buffer obtained from user space, which allows local users to overflow
a stack-based buffer and have unspecified other impact via a crafted
read system call for the /proc/sys/sunrpc/transports file.
CVE-2008-4618: Fixed a kernel panic in SCTP while process protocol
violation parameter.
|
| Alerts: |
|
Comments (none posted)
ktorrent: multiple vulnerabilities
| Package(s): | ktorrent |
CVE #(s): | |
| Created: | October 27, 2008 |
Updated: | November 6, 2008 |
| Description: |
From the Fedora advisory:
Another bugfix release for the 3.1 series is out. This fixes several bugs : * A
crash caused by a SIGBUS, when diskspace preallocation is disabled * High CPU
usage when DNS lookups fail in the UDP tracker code * Several security issues
in the webinterface plugin
|
| Alerts: |
|
Comments (none posted)
libspf2: buffer overflow
| Package(s): | libspf2 |
CVE #(s): | CVE-2008-2469
|
| Created: | October 24, 2008 |
Updated: | October 31, 2008 |
| Description: |
From the Debian advisory: Dan Kaminsky discovered that libspf2, an implementation of the Sender Policy Framework (SPF) used by mail servers for mail filtering, handles malformed TXT records incorrectly, leading to a buffer overflow condition |
| Alerts: |
|
Comments (none posted)
lynx: multiple vulnerabilities
| Package(s): | lynx |
CVE #(s): | CVE-2008-4690
CVE-2006-7234
|
| Created: | October 27, 2008 |
Updated: | September 14, 2009 |
| Description: |
From the Red Hat advisory:
An arbitrary command execution flaw was found in the Lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
that could execute arbitrary code as the user running Lynx in the
non-default "Advanced" user mode. (CVE-2008-4690)
A flaw was found in a way Lynx handled ".mailcap" and ".mime.types"
configuration files. Files in the browser's current working directory were
opened before those in the user's home directory. A local attacker, able to
convince a user to run Lynx in a directory under their control, could
possibly execute arbitrary commands as the user running Lynx. (CVE-2006-7234)
|
| Alerts: |
|
Comments (none posted)
squirrelmail: session hijacking vulnerability
| Package(s): | squirrelmail |
CVE #(s): | CVE-2008-3663
|
| Created: | October 23, 2008 |
Updated: | May 13, 2009 |
| Description: |
squirrelmail is vulnerable to session hijacking.
From the Red Hat
bug report:
Squirrelmail 1.4.15 does not set the secure flag for the session
cookie in an https session, which can cause the cookie to be sent in
http requests and make it easier for remote attackers to capture this
cookie. |
| Alerts: |
|
Comments (none posted)
wireshark: multiple vulnerabilities
| Package(s): | wireshark |
CVE #(s): | CVE-2008-4680
CVE-2008-4681
CVE-2008-4682
CVE-2008-4683
CVE-2008-4684
CVE-2008-4685
|
| Created: | October 27, 2008 |
Updated: | June 30, 2009 |
| Description: |
From the CVE entries:
CVE-2008-4680: packet-usb.c in the USB dissector in Wireshark 0.99.7 through 1.0.3 allows remote attackers to cause a denial of service (application crash or abort) via a malformed USB Request Block (URB).
CVE-2008-4681: Unspecified vulnerability in the Bluetooth RFCOMM dissector in Wireshark 0.99.7 through 1.0.3 allows remote attackers to cause a denial of service (application crash or abort) via unknown packets.
CVE-2008-4682: wtap.c in Wireshark 0.99.7 through 1.0.3 allows remote attackers to cause a denial of service (application abort) via a malformed Tamos CommView capture file (aka .ncf file) with an "unknown/unexpected packet type" that triggers a failed assertion.
CVE-2008-4683: The dissect_btacl function in packet-bthci_acl.c in the Bluetooth ACL dissector in Wireshark 0.99.2 through 1.0.3 allows remote attackers to cause a denial of service (application crash or abort) via a packet with an invalid length, related to an erroneous tvb_memcpy call.
CVE-2008-4684: packet-frame in Wireshark 0.99.2 through 1.0.3 does not properly handle exceptions thrown by post dissectors, which allows remote attackers to cause a denial of service (application crash) via a certain series of packets, as demonstrated by enabling the (1) PRP or (2) MATE post dissector.
CVE-2008-4685: Use-after-free vulnerability in the dissect_q931_cause_ie function in packet-q931.c in the Q.931 dissector in Wireshark 0.10.3 through 1.0.3 allows remote attackers to cause a denial of service (application crash or abort) via certain packets that trigger an exception. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
