LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

Developments in web tracking protection

April 20, 2011

This article was contributed by Nathan Willis

Mozilla first announced Firefox 4 support for the X-Do-Not-Track HTTP header (DNT) in January, but for a while it appeared that it would be the lone browser implementing the privacy-protecting option. The movement has picked up considerable steam in recent weeks, however, with both Safari and Internet Explorer (IE) adding support for the header. IE 9 also adds a related feature: Tracking Protection Lists (TPLs), a form of subscription-based block list similar to that offered by the AdBlock Plus project. Yet while both are improvements from the viewpoint of most consumers, their real value remains up in the air in light of important unanswered questions.

The limitations of DNT and block lists

DNT is an HTTP header that a web browser would send along with a page request to a web server — the idea being that it requests that the server not employ "tracking" to monitor the user's behavior during the session. It is currently an IETF Internet Draft, and is still undergoing changes. For example, the actual header now simply reads "DNT: 1" or "DNT: 0", instead of the comparatively wordy original form, "X-Do-Not-Track: N". But the bigger debate remains over what "tracking" actually means. The draft concisely defines it as "Tracking includes collection, retention, and use of all data related to the request and response."

The Electronic Frontier Foundation's Peter Eckersley tackled that question in an EFF blog post in February, where he observed that the simple definition encompasses some techniques that are generally agreed to fall outside the average person's conception of "tracking." Examples include single-site statistics such as might be gathered by standard web server logs or an analytics tool, tracking necessary to complete online transactions, and tracking necessary to prevent fraud or respond to security breaches.

What constitutes "tracking" is a nebulous question without a bright-line, technical answer, but that is acceptable because, Eckersley argues, DNT is a ultimately a policy tool and not a privacy-enhancing technology. He expounded on that distinction in a March post written in response to the announcement of IE 9's support for DNT and TPLs. There, he argues that block lists and DNT can complement each other, but that neither is 100% effective on its own.

Block lists, the term Eckersley uses to describe both TPL and plug-in solutions like AdBlock Plus, block outgoing HTTP requests that match a set of URL patterns that are created to catch known advertising, tracking, and cookie APIs. They have the advantage that they can stop privacy-risking HTTP connections altogether (in a manner that is relatively easy for the user to verify), and that they place the end user in control, without depending on legal or regulatory means to enforce compliance.

On the other hand, block lists are highly dependent on human list-maintainers keeping up to date with thousands of site APIs, correctly discerning which are performing tracking, and determining which will break functionality if blocked. There is also a growing list of tracking mechanisms like fingerprinting that do not rely on cookies, static domains, or other easily-caught factors. Fingerprinting as implemented by EFF's Panopticlick is a proof-of-concept, but there are already businesses performing similar techniques in the wild to collect data for commercial usage.

Block lists also require a trust relationship with the list maintainers, and the trustworthiness of any given list maintainer is difficult to verify. Eckersley points to one particularly untrustworthy IE 9 TPL offered by the privately-owned TRUSTe corporation. TRUSTe's TPL blocks only 23 domains, and explicitly whitelists 3,954 others. Thanks to IE 9's implementation of TPLs, any domain whitelisted by TRUSTe's list cannot be overridden by appearing on the blacklist of another TPL. Consequently, subscribing to TRUSTe's TPL has the net effect of opting-in to nearly 4,000 tracking domains.

But even for any specific definition of "tracking" agreed upon, DNT suffers from a lack of agreement over what sites should do when encountering an opt-out visitor. The draft says that a server encountering the header must delete any previously-stored data used for third-party tracking. It does not address serving different content back to the client, nor the case where an API enables tracking but also implements other functionality. Finally, as we observed in January, a large number of tracking companies currently regard "opt-out" choices as applying solely to "behavioral advertising."

Most importantly, however, DNT's effectiveness hinges on its adoption by web sites, which at present is entirely voluntary, much like the robots.txt de facto standard for search exclusion. A small handful of sites have publicly announced their support for DNT, including the Associated Press, but Eckersley argues that requiring compliance is the only way to guarantee consumer protection.

DNT enforcement

The US Federal Trade Commission (FTC) endorsed DNT in December of 2010 in a "preliminary staff report" that outlined a framework for consumer privacy protection. The framework includes recommendations for limited data collection and retention, transparent data collection policies, and straightforward opt-in/opt-out mechanisms clearly presented to consumers.

The EFF submitted a public response to the paper, providing answers to the FTC's "questions for comment." In it, the EFF weighs in on the scope of the framework, advocating that the proposed rules be applied for any data that can be "reasonably linked to specific consumer, computer or other device" and not limited to "personally identifiable information" only. That distinction would encompass fingerprinting as well as cookie-based tracking, because as the EFF also points out, almost any information from a browsing can be "linked" to a user: location information, browsing history, browser settings, even time-based access patterns.

The historical standard, which assumes that only "personal" information (such as account names or email addresses) can be associated with an individual, is built on top of the notion that people can remain anonymous by "hiding in the crowd" from which it is infeasible to extract enough information about one user to track him or her. Given current computer power, however, that assumption is no longer true: almost anyone can mine the crowd's data and extract or "re-link" an individual. Ultimately, the EFF says, "the linkability problem is a function of the universe of available data, not merely the particular data that one is exchanging."

The EFF also recommends that no businesses be exempted from the rules a priori, but recommends that the FTC (which is tasked with consumer protection and fraud prevention) not police the marketplace as a whole and instead focus on responding to businesses that engage in abuse. Finally, the EFF recommends that the US federal government lead by example and embrace the DNT header for all federal agency web sites.

The EFF's comments and the FTC's staff report do not carry the force of law, but two bills have been introduced in the US House of Representatives that do mandate DNT compliance in one form or another. Eckersley notes in the February post that there are some commenters who believe technical means would be a better incentive for businesses to comply, such as the browser community adding violators to public block lists. He does not include a citation, so it is unclear exactly who the commentators in question are, or whether they have TPL-style block lists or a different mechanism in mind.

The two-handed approach

It might sound odd to suggest that block lists would be the compliance guarantee for DNT, but consider that Mozilla is no longer the sole browser vendor supporting the header. With IE9 and Safari also implementing the header, only Google Chrome remains a hold-out among the first-tier browser makers. That percentage of the browser market carries considerable weight.

Eckersley ultimately concludes that both block lists and DNT are required to protect consumer's online privacy. Block lists provide verifiable, immediate privacy protection, while DNT provides a regulatory tool for relief against sites that actively seek to harm consumers.

Ideally, widespread adoption of DNT puts privacy back into the hands of the user by default, although that depends on how simple and prominent the DNT settings are exposed to the user in the browser. It is probably still wishful thinking to expect browser makers to set DNT: 1 by default. Block lists, especially when enabled by default as in IE9, remain a valuable safety net, particularly for people who forget to check their DNT setting. Just remember to avoid TRUSTe's list — and to double-check the contents of any other block list, lest those intent on gaming the system open the door to still more privacy violations.

Comments (11 posted)

Brief items

Security quotes of the week

This announcement means that Dropbox never had any mechanism to prevent employees from accessing your files, and it means that Dropbox never had the crypto smarts to ensure the privacy of your files and never had the smarts to only decrypt the files for you. It turns out, they keep their keys on their servers, and anyone with clearance at Dropbox or anyone that manages to hack into their servers would be able to get access to your files.
-- Miguel de Icaza

Apple has made it possible for almost anybody — a jealous spouse, a private detective — with access to your phone or computer to get detailed information about where you've been.
-- Pete Warden in the Guardian (via Boing Boing)

Honest Achmed's uncles may invite some of their friends to issue certificates as well, in particular their cousins Refik and Abdi or "RA" as they're known. Honest Achmed's uncles assure us that their RA can be trusted, apart from that one time when they lent them the keys to the car, but that was a one-off that won't happen again. [...] Honest Achmed promises to studiously verify that payment from anyone requesting a certificate clears before issuing it (except for his uncles, who are good for credit). Achmed guarantees that no certificate will be issued without payment having been received, as per the old latin proverb "nil certificati sine lucre".
-- "Honest Achmed" requests addition to Mozilla's root certificate store

Honest Achmed is at least more honest than Comodo.
-- Kyle Hamilton

Comments (7 posted)

New vulnerabilities

dhcpcd: arbitrary code execution

Package(s):dhcpcd CVE #(s):CVE-2011-0996
Created:April 18, 2011 Updated:January 9, 2013
Description: From the CVE entry:

dhcpcd before 5.2.12 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message.

Alerts:
Slackware SSA:2011-210-02 2011-08-01
Pardus 2011-78 2011-05-26
SUSE SUSE-SR:2011:008 2011-05-03
SUSE SUSE-SR:2011:007 2011-04-19
openSUSE openSUSE-SU-2011:0352-1 2011-04-18
openSUSE openSUSE-SU-2011:0342-1 2011-04-18
openSUSE openSUSE-SU-2011:0385-1 2011-04-21
Gentoo 201301-04 2013-01-09

Comments (none posted)

flash-player: arbitrary code execution

Package(s):flash-player CVE #(s):CVE-2011-0611
Created:April 18, 2011 Updated:April 20, 2011
Description: From the CVE entry:

Adobe Flash Player 10.2.153.1 and earlier for Windows, Macintosh, Linux, and Solaris; 10.2.154.25 and earlier for Chrome; and 10.2.156.12 and earlier for Android; Adobe AIR 2.6.19120 and earlier; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader and Acrobat 9.x through 9.4.3 and 10.x through 10.0.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content, related to a size inconsistency in a "group of included constants," object type confusion, and Date objects, as demonstrated by a .swf file embedded in a Microsoft Word document, and as exploited in the wild in April 2011.

Alerts:
Gentoo 201110-11 2011-10-13
Red Hat RHSA-2011:0451-01 2011-04-18
openSUSE openSUSE-SU-2011:0373-1 2011-04-18
SUSE SUSE-SA:2011:018 2011-04-18

Comments (none posted)

ifcfg-*: insecure file permissions

Package(s):ifcfg-* CVE #(s):
Created:April 18, 2011 Updated:April 20, 2011
Description: From the openSUSE advisory:

This update fixes the file permissions for ifcfg-* files.

Alerts:
openSUSE openSUSE-SU-2011:0353-1 2011-04-18

Comments (none posted)

kbd: arbitrary file corruption

Package(s):kbd CVE #(s):CVE-2011-0460
Created:April 18, 2011 Updated:April 20, 2011
Description: From the openSUSE advisory:

The kbd init scripted wrote a file to /dev/shm during shut-down. Since local users may create symlinks there a malicious user could cause corruption of arbitrary files

Alerts:
SUSE SUSE-SR:2011:007 2011-04-19
openSUSE openSUSE-SU-2011:0357-1 2011-04-18

Comments (none posted)

kdenetwork: arbitrary code execution

Package(s):kdenetwork CVE #(s):CVE-2011-1586
Created:April 19, 2011 Updated:May 2, 2011
Description: From the Ubuntu advisory:

It was discovered that KGet did not properly perform input validation when processing metalink files. If a user were tricked into opening a crafted metalink file, a remote attacker could overwrite files via directory traversal, which could eventually lead to arbitrary code execution.

Alerts:
Ubuntu USN-1114-1 2011-04-18
Red Hat RHSA-2011:0465-01 2011-04-21
Mandriva MDVSA-2011:081 2011-05-02

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2011-1012 CVE-2011-1082 CVE-2011-1163 CVE-2011-1182 CVE-2011-1476 CVE-2011-1477 CVE-2011-1493
Created:April 18, 2011 Updated:September 14, 2011
Description: From the openSUSE advisory:

CVE-2011-1012: The code for evaluating LDM partitions (in fs/partitions/ldm.c) contained a bug that could crash the kernel for certain corrupted LDM partitions.

CVE-2011-1082: The epoll subsystem in Linux did not prevent users from creating circular epoll file structures, potentially leading to a denial of service (kernel deadlock).

CVE-2011-1163: The code for evaluating OSF partitions (in fs/partitions/osf.c) contained a bug that leaks data from kernel heap memory to userspace for certain corrupted OSF partitions.

CVE-2011-1182: Local attackers could send signals to their programs that looked like coming from the kernel, potentially gaining privileges in the context of setuid programs.

CVE-2011-1476: Specially crafted requests may be written to /dev/sequencer resulting in an underflow when calculating a size for a copy_from_user() operation in the driver for MIDI interfaces. On x86, this just returns an error, but it could have caused memory corruption on other architectures. Other malformed requests could have resulted in the use of uninitialized variables.

CVE-2011-1477: Due to a failure to validate user-supplied indexes in the driver for Yamaha YM3812 and OPL-3 chips, a specially crafted ioctl request could have been sent to /dev/sequencer, resulting in reading and writing beyond the bounds of heap buffers, and potentially allowing privilege escalation.

CVE-2011-1493: In the rose networking stack, when parsing the FAC_NATIONAL_DIGIS facilities field, it was possible for a remote host to provide more digipeaters than expected, resulting in heap corruption. Check against ROSE_MAX_DIGIS to prevent overflows, and abort facilities parsing on failure.

Alerts:
Oracle ELSA-2011-2038 2011-12-27
Oracle ELSA-2011-2038 2011-12-27
Ubuntu USN-1256-1 2011-11-09
Ubuntu USN-1218-1 2011-09-29
Ubuntu USN-1216-1 2011-09-26
Ubuntu USN-1211-1 2011-09-21
Ubuntu USN-1212-1 2011-09-21
Ubuntu USN-1208-1 2011-09-14
Ubuntu USN-1205-1 2011-09-13
Ubuntu USN-1204-1 2011-09-13
Ubuntu USN-1203-1 2011-09-13
Ubuntu USN-1202-1 2011-09-13
Ubuntu USN-1201-1 2011-09-13
Scientific Linux SL-kern-20110823 2011-08-23
Red Hat RHSA-2011:1189-01 2011-08-23
Ubuntu USN-1189-1 2011-08-19
Ubuntu USN-1187-1 2011-08-09
Scientific Linux SL-kern-20110715 2011-07-15
SUSE SUSE-SU-2011:0832-1 2011-07-25
SUSE SUSE-SA:2011:031 2011-07-25
CentOS CESA-2011:0927 2011-07-18
Ubuntu USN-1170-1 2011-07-15
Ubuntu USN-1168-1 2011-07-15
Red Hat RHSA-2011:0927-01 2011-07-15
Ubuntu USN-1167-1 2011-07-13
Ubuntu USN-1161-1 2011-07-13
Ubuntu USN-1159-1 2011-07-13
Ubuntu USN-1162-1 2011-06-29
Ubuntu USN-1164-1 2011-07-06
SUSE SUSE-SU-2011:0737-1 2011-07-05
Ubuntu USN-1183-1 2011-08-03
SUSE SUSE-SU-2011:0711-1 2011-06-29
Ubuntu USN-1160-1 2011-06-28
Red Hat RHSA-2011:0883-01 2011-06-21
Debian DSA-2264-1 2011-06-18
Ubuntu USN-1146-1 2011-06-09
Scientific Linux SL-kern-20110519 2011-05-19
CentOS CESA-2011:0833 2011-05-31
Ubuntu USN-1141-1 2011-05-31
Red Hat RHSA-2011:0833-01 2011-05-31
Debian DSA-2240-1 2011-05-24
SUSE SUSE-SA:2011:017 2011-04-18
openSUSE openSUSE-SU-2011:0346-1 2011-04-18
SUSE SUSE-SA:2011:026 2011-05-20
Red Hat RHSA-2011:0542-01 2011-05-19
Red Hat RHSA-2011:0500-01 2011-05-10
openSUSE openSUSE-SU-2011:0416-1 2011-04-29
SUSE SUSE-SA:2011:019 2011-04-28
openSUSE openSUSE-SU-2011:0399-1 2011-04-28
Ubuntu USN-1390-1 2012-03-06
Ubuntu USN-1394-1 2012-03-07

Comments (none posted)

krb5: arbitrary code execution

Package(s):krb5 CVE #(s):CVE-2011-0285
Created:April 15, 2011 Updated:April 26, 2011
Description: From the CVE entry:

The process_chpw_request function in schpw.c in the password-changing functionality in kadmind in MIT Kerberos 5 (aka krb5) 1.7 through 1.9 frees an invalid pointer, which allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a crafted request that triggers an error condition.

Alerts:
Mandriva MDVSA-2011:077 2011-04-22
Ubuntu USN-1116-1 2011-04-19
SUSE SUSE-SR:2011:007 2011-04-19
openSUSE openSUSE-SU-2011:0348-1 2011-04-18
Red Hat RHSA-2011:0447-01 2011-04-14
Fedora FEDORA-2011-5343 2011-04-14
Fedora FEDORA-2011-5345 2011-04-14
Gentoo 201201-13 2012-01-23

Comments (none posted)

language-selector: local command execution

Package(s):language-selector CVE #(s):CVE-2011-0729
Created:April 20, 2011 Updated:April 20, 2011
Description: A local attacker can make use of an authorization check failure in language-selector's D-Bus backend to run arbitrary commands as root.
Alerts:
Ubuntu USN-1115-1 2011-04-19

Comments (none posted)

libmodplug: stack based buffer overflow

Package(s):libmodplug CVE #(s):CVE-2011-1574
Created:April 18, 2011 Updated:March 16, 2012
Description: From the openSUSE advisory:

Libmodplug is vulnerable to a stack based buffer overflow when handling malicious S3M media files. CVE-2011-1574 has been assigned to this issue.

Alerts:
Ubuntu USN-1148-1 2011-06-13
Fedora FEDORA-2011-6931 2011-05-13
SUSE SUSE-SR:2011:007 2011-04-19
Fedora FEDORA-2011-5204 2011-04-12
openSUSE openSUSE-SU-2011:0350-1 2011-04-18
Mandriva MDVSA-2011:085 2011-05-13
CentOS CESA-2011:0477 2011-05-04
Pardus 2011-75 2011-05-03
Red Hat RHSA-2011:0477-01 2011-05-02
Debian DSA-2226-1 2011-04-26
Gentoo 201203-16 2012-03-16

Comments (none posted)

libmojolicious-perl: directory traversal

Package(s):libmojolicious-perl CVE #(s):CVE-2011-1589
Created:April 20, 2011 Updated:April 26, 2011
Description: The Mojolicious web application framework contains a directory traversal vulnerability.
Alerts:
Fedora FEDORA-2011-5505 2011-04-17
Fedora FEDORA-2011-5504 2011-04-17
Debian DSA-2221-1 2011-04-19

Comments (none posted)

libtiff: arbitrary code execution

Package(s):libtiff CVE #(s):CVE-2009-5022
Created:April 18, 2011 Updated:June 10, 2011
Description: From the Red Hat advisory:

A heap-based buffer overflow flaw was found in the way libtiff processed certain TIFF image files that were compressed with the JPEG compression algorithm. An attacker could use this flaw to create a specially-crafted TIFF file that, when opened, would cause an application linked against libtiff to crash or, possibly, execute arbitrary code.

Alerts:
Debian DSA-2256-1 2011-06-09
Fedora FEDORA-2011-5304 2011-04-13
Red Hat RHSA-2011:0452-01 2011-04-18
Mandriva MDVSA-2011:078 2011-04-23
SUSE SUSE-SR:2011:008 2011-05-03
openSUSE openSUSE-SU-2011:0405-1 2011-04-29
Ubuntu USN-1120-1 2011-04-21
Gentoo 201209-02 2012-09-23

Comments (none posted)

perl: tainted data laundering

Package(s):perl CVE #(s):
Created:April 14, 2011 Updated:April 20, 2011
Description: From the Perl advisory:

The current perlsec 5.13 man page still claims that "Laundering data using regular expression is the only mechanism for untainting dirty data", or by "using them as keys in a hash" - yet functions lc() and uc() are unwarrantedly laundering data too.

This holds true for v5.10.1, v5.12.3 and v5.13.10; but not for v5.8.8.

Alerts:
Fedora FEDORA-2011-4610 2011-04-02

Comments (none posted)

PolicyKit: local privilege escalation

Package(s):polkit policykit CVE #(s):CVE-2011-1485
Created:April 20, 2011 Updated:April 18, 2012
Description: The pbexec utility can be exploited by a local user to run arbitrary commands as root.
Alerts:
Debian DSA-2319-1 2011-10-08
openSUSE openSUSE-SU-2011:0413-1 2011-04-29
Slackware SSA:2011-109-01 2011-04-20
Ubuntu USN-1117-1 2011-04-19
Red Hat RHSA-2011:0455-01 2011-04-19
Fedora FEDORA-2011-5676 2011-04-20
SUSE SUSE-SR:2011:008 2011-05-03
Mandriva MDVSA-2011:086 2011-05-16
openSUSE openSUSE-SU-2011:0412-1 2011-04-29
Gentoo 201204-06 2012-04-17

Comments (none posted)

postfix: symlink attack

Package(s):postfix CVE #(s):CVE-2009-2939
Created:April 18, 2011 Updated:May 11, 2011
Description: From the Ubuntu advisory:

It was discovered that the Postfix package incorrectly granted write access on the PID directory to the postfix user. A local attacker could use this flaw to possibly conduct a symlink attack and overwrite arbitrary files. This issue only affected Ubuntu 6.06 LTS and 8.04 LTS.

Alerts:
Ubuntu USN-1113-1 2011-04-18
Debian DSA-2233-1 2011-05-10

Comments (none posted)

request-tracker: multiple vulnerabilities

Package(s):request-tracker CVE #(s):CVE-2011-1685 CVE-2011-1686 CVE-2011-1687 CVE-2011-1688 CVE-2011-1689 CVE-2011-1690
Created:April 20, 2011 Updated:April 20, 2011
Description: The request-tracker issue tracking system has a few issues of its own, including remote command execution, SQL injection, information disclosure, session hijacking, and cross-site scripting.
Alerts:
Debian DSA-2220-1 2011-04-19

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds