By Nathan Willis
October 17, 2012
At times it can seem like protecting one's online privacy is a
Sisyphean struggle. Even when the software industry listens to the
concerns of privacy advocates, the site owners and secretive
data-collectors who profit from pillaging private information are
quick to find every loophole and work-around in existence to regain
their access to profitable data. Such seems to be the case with the
Do Not Track HTTP header (DNT),
which has garnered support from browser vendors — plus a steady
stream of assaults aimed at undermining it, courtesy of advertisers.
Preferences, browsers, and intent
Although "opt out" mechanisms for web tracking have been discussed for
years, the DNT HTTP header approach was first
proposed by Mozilla's Mike Shaver. It has subsequently been
developed under the stewardship of the World Wide Web Consortium's
(W3C) Tracking Protection Working Group. According to the latest
draft of the specification,
DNT is an optional HTTP header field that can take either 0 or 1 as a
value, where 1 indicates that the user prefers not to be tracked, and
0 indicates that the user prefers to allow tracking. The key issue,
however, is that the header is intended to represent a user
preference — which most interpret to mean a conscious
choice on the user's part — and it must not be sent at all if
the user has not expressed such a preference to the browser.
Initially Mozilla was the only browser vendor behind DNT, but Opera added
support in July in Opera 12, as
did Apple a few weeks later in Safari 6. Google
added
support in Chromium on September 13. In all four browsers, the DNT
setting must be manually enabled in the application preferences.
Mozilla contended
from quite early on that this is a critical facet of making DNT a
workable solution. If DNT were enabled automatically or by default,
it would no longer represent "a choice made by the person behind
the keyboard," but one made by the browser vendor.
The decision was controversial — after all, reasoned critics,
who in their right mind wants to be tracked? But Mozilla
stood firm, and eventually the other browser makers followed suit.
Until June 2012, that is, when Microsoft announced that Internet
Explorer (IE) 10 (which is scheduled to ship with Windows 8) would
present the DNT option as a check-box shown to the user during
installation, with the do-not-track option selected by default.
But enabling DNT by default violates the specification, opponents
argued, and strips it of its meaning. And if the DNT header does not
reflect an actual user's decision, the argument goes, advertisers will
be justified in ignoring it. Apache's Roy Fielding objected strongly
enough that he committed a change
that causes the web server to un-set the DNT header when it is sent by
IE 10. Fielding is a member of the W3C Tracking Protection Working
Group, and his log message for the commit said that "Apache does
not tolerate deliberate abuse of open standards." He
elaborated on that interpretation in the inevitable argument that
followed on GitHub,
calling
Microsoft's decision broken because it violates the specification's
requirement that the DNT header default to "unset." Apache, he said,
"has no particular interest in what goes in the open standard --
only in that the protocol means what the WG says it means when the
extra eight bytes are sent on the wire."
Conspiracy theorists might suspect that Microsoft's decision is a
subtle ploy to undermine DNT entirely to curry favor with advertisers
and other user-tracking firms. If so, the advertising world
is doing an excellent job of maintaining a cover story; the
Association of National Advertisers (ANA) publicly
criticized the decision in an open letter to Microsoft management.
Step right up
Regardless of what happens on the browser and server fronts, DNT still
relies on voluntary compliance on behalf of site administrators and
service providers — and, by extension, compliance that matches
up with what the user intends. The meaning of DNT might seem to be
straightforward, but the people who make their money tracking users
cannot be forced to agree. In September, Ed Bott at ZDNet
reported that the Interactive Advertising Bureau (IAB) and the
Digital Advertising Alliance (DAA) "devised their own
interpretation" of DNT, under which they would continue to
collect information, but would refrain from using that information to
deliver targeted ads to the browser. Presumably that restraint lasts
only for the duration of the browsing session in which DNT is sent.
Lest anyone propose a "Do Not Target Ads" HTTP header that IAB and DAA
might conversely interpret as a reason to stop collecting tracking
information, remember that nothing obligates advertisers or other
information brokers to react to the header at all. Grant Gross at IDG said
at least one site, a "tech-focused think tank" called the Information
Technology and Innovation Foundation (ITIF), has unilaterally decided
it will simply ignore the DNT header, and its site will report that
fact to visitors.
Other members of the advertising business have embarked on their own
campaigns to nip DNT in the bud. In June, the US Senate held hearings
about tracking and DNT in particular. As the Electronic Frontier
Foundation (EFF) observed,
ANA representative Bob Liodice testified at the hearings that DNT
would undermine cybersecurity, including "issues such as online
sexual predators and identity theft." The Senate did not seem
to buy Liodice's argument (Senator Jay Rockefeller, chairman of the
Committee on Commerce, Science, and Transportation, declared the
cybersecurity argument "a total red herring"), although
the EFF noted that online tracking does raise important law
enforcement questions in addition to its advertising angle.
Most recently, DNT critics gathered at the W3C Tracking Protection
Working Group meeting in Amsterdam, where the Direct Marketing
Association (DMA) proposed that an exception be added to the DNT
specification for "marketing." The EFF blog
entry about the meeting quotes the DMA representative as saying:
Marketing fuels the world. It is as American as apple pie and delivers
relevant advertising to consumers about products they will be
interested at a time they are interested. DNT should permit it as one
of the most important values of civil society.
Such an "exception" would seem to cover the precise tracking scenario for
which DNT is designed, and indeed other members of the working group
fought back. Fielding accused
DMA of "raising issues that you know quite well will not be
adopted." The EFF views DMA's participation in the meeting as
an attempt to undermine or derail the specification-writing process.
That is a bit of a judgment call, but it is clear from the latest
traffic on the working group's mailing
list that DMA, DAA, and other advertising groups are not meshing
well with the software industry representatives who typically account
for the bulk of W3C participation. In recent weeks there have been
multiple threads about redefining basic terms like "service provider"
and "user agent" that indicate (at the very least) a culture clash.
On the plus side, there have been sites and web services that have
voluntarily announced their intention to comply with DNT; Twitter is
the highest-profile. But the specification is far from completion,
and as recent events show, voluntary compliance will only take care of
a subset of the data-collecting entities on the web today. In the
GitHub comment linked to above, Fielding speculated that the long-term
ploy of DNT advocates was to get widespread adoption, then to push for
mandatory compliance through legislation. Whether that will happen is
anyone's guess; the US Federal Trade Commission (FTC) has endorsed
DNT, which in addition to the US Senate hearings might provide enough
evidence to make the advertising industry wary.
Implementing a campaign of "good enough for most" self-regulation
would be one path to avoiding such government oversight, and derailing
or gutting the specification could be effective, too. At the moment,
the advertising business seems to be pursuing both tactics. It is up
to the W3C and privacy advocates to respond, but at least for the time
being the only guaranteed way for users to safeguard their privacy
remains the do-it-yourself approach: Tor, NoScript, Adblock Plus, and
so on. A world where user-tracking is simply not an issue sounds
nice — it just doesn't sound likely in the near-term.
Comments (26 posted)
Brief items
But at least it's patented by a notorious patent troll, which means that
other jackasses who try to implement this stupid idea will find themselves
tied up in absurd, wasteful lawsuits. It's mutually assured dipshits.
--
Cory
Doctorow on a patent by Intellectual Ventures for 3D printing DRM
Use of the card, accepted by every major Bay Area public transit
system, is soaring with 689,000 transactions a day and more than 1
million active Clipper cards. Many cardholders might not realize that
data tracking their every move on public transit is stored on
computers and available to anyone with a search warrant or subpoena.
Personal data can be stored for seven years after a Clipper account
is closed, according to the commission's policy. In addition, a new
smartphone app, called FareBot, allows anyone to scan a Clipper card
and find out where the owner has been.
--
NBC
Bay Area notes that San Francisco "Clipper Cards" reveal users' movements to authorities
Comments (8 posted)
Firefox 16, which was
released on October 9, has subsequently been
withdrawn due to a privacy leak. Ars technica
looks at code that can exploit the flaw, which is not present in Firefox 15. "
In short order, he was able to take advantage of his discovery to fashion proof-of-concept code that forced Firefox 16 to identify a visitor's Twitter handle whenever the user was logged in to the site. The eight-line code sample takes about 10 seconds to reveal the username, and it wouldn't be hard for developers to expand on that code to create attacks that extract personal information contained in URLs from other websites."
Comments (6 posted)
Mozilla has now released version 16.0.1 of Firefox, fixing the security hole discovered October 10 in Firefox 16, as well as a few other incidental issues. The H has a brief recap of the situation, including availability of the corresponding update for other Mozilla products.
Comments (10 posted)
New vulnerabilities
cxf: multiple vulnerabilities
| Package(s): | cxf |
CVE #(s): | CVE-2012-2379
CVE-2012-2378
CVE-2012-3451
|
| Created: | October 12, 2012 |
Updated: | October 17, 2012 |
| Description: |
From the Fedora advisory:
A flaw was found in the way Apache CXF verifies that XML elements were signed or encrypted by a particular Supporting Token. CXF checks to ensure these elements are signed or encrypted by a Supporting Token, but not whether the correct token is used. A remote attacker could use this flaw to transmit confidential information without the appropriate security, and potentially to circumvent access controls on web services exposed via CXF. (CVE-2012-2379)
A flaw was found in the way Apache CXF enforced child policies of WS-SecurityPolicy 1.1 on the client side. In certain circumstances, this could lead a client failing to sign or encrypt certain elements as directed by the security policy, leading to information disclosure and insecure transmission of information. (CVE-2012-2378)
Apache CXF is vulnerable to SOAPAction spoofing attacks under certain conditions. If web services are exposed via Apache CXF that use a unique SOAPAction for each service operation, then a remote attacker could perform SOAPAction spoofing to call a forbidden operation if it accepts the same parameters as an allowed operation. WS-Policy validation is performed against the operation being invoked, and an attack must pass validation to be successful. (CVE-2012-3451) |
| Alerts: |
|
Comments (none posted)
dracut: information disclosure
| Package(s): | dracut |
CVE #(s): | CVE-2012-4453
|
| Created: | October 15, 2012 |
Updated: | October 22, 2012 |
| Description: |
From the CVE entry:
dracut.sh in dracut, as used in Red Hat Enterprise Linux 6, Fedora 16 and 17, and possibly other products, creates initramfs images with world-readable permissions, which might allow local users to obtain sensitive information. |
| Alerts: |
|
Comments (none posted)
html2ps: directory traversal
| Package(s): | html2ps |
CVE #(s): | CVE-2009-5067
|
| Created: | October 16, 2012 |
Updated: | April 8, 2013 |
| Description: |
From the Mageia advisory:
Directory traversal vulnerability in html2ps before 1.0b7 allows
remote attackers to read arbitrary files via directory traversal
sequences in SSI directive. |
| Alerts: |
|
Comments (none posted)
java: multiple vulnerabilities
| Package(s): | java |
CVE #(s): | CVE-2012-3216
CVE-2012-4416
CVE-2012-5068
CVE-2012-5069
CVE-2012-5071
CVE-2012-5072
CVE-2012-5073
CVE-2012-5075
CVE-2012-5077
CVE-2012-5079
CVE-2012-5081
CVE-2012-5084
CVE-2012-5085
CVE-2012-5086
CVE-2012-5089
|
| Created: | October 17, 2012 |
Updated: | December 3, 2012 |
| Description: |
From the Red Hat advisory:
Multiple improper permission check issues were discovered in the Beans,
Swing, and JMX components in OpenJDK. An untrusted Java application or
applet could use these flaws to bypass Java sandbox restrictions.
(CVE-2012-5086, CVE-2012-5084, CVE-2012-5089)
Multiple improper permission check issues were discovered in the Scripting,
JMX, Concurrency, Libraries, and Security components in OpenJDK. An
untrusted Java application or applet could use these flaws to bypass
certain Java sandbox restrictions. (CVE-2012-5068, CVE-2012-5071,
CVE-2012-5069, CVE-2012-5073, CVE-2012-5072)
It was discovered that java.util.ServiceLoader could create an instance of
an incompatible class while performing provider lookup. An untrusted Java
application or applet could use this flaw to bypass certain Java sandbox
restrictions. (CVE-2012-5079)
It was discovered that the Java Secure Socket Extension (JSSE) SSL/TLS
implementation did not properly handle handshake records containing an
overly large data length value. An unauthenticated, remote attacker could
possibly use this flaw to cause an SSL/TLS server to terminate with an
exception. (CVE-2012-5081)
It was discovered that the JMX component in OpenJDK could perform certain
actions in an insecure manner. An untrusted Java application or applet
could possibly use this flaw to disclose sensitive information.
(CVE-2012-5075)
A bug in the Java HotSpot Virtual Machine optimization code could cause it
to not perform array initialization in certain cases. An untrusted Java
application or applet could use this flaw to disclose portions of the
virtual machine's memory. (CVE-2012-4416)
It was discovered that the SecureRandom class did not properly protect
against the creation of multiple seeders. An untrusted Java application or
applet could possibly use this flaw to disclose sensitive information.
(CVE-2012-5077)
It was discovered that the java.io.FilePermission class exposed the hash
code of the canonicalized path name. An untrusted Java application or
applet could possibly use this flaw to determine certain system paths, such
as the current working directory. (CVE-2012-3216)
This update disables Gopher protocol support in the java.net package by
default. Gopher support can be enabled by setting the newly introduced
property, "jdk.net.registerGopherProtocol", to true. (CVE-2012-5085)
Note: If the web browser plug-in provided by the icedtea-web package was
installed, the issues exposed via Java applets could have been exploited
without user interaction if a user visited a malicious website.
|
| Alerts: |
|
Comments (none posted)
java: multiple vulnerabilities
| Package(s): | java |
CVE #(s): | CVE-2012-5070
CVE-2012-5074
CVE-2012-5076
CVE-2012-5087
CVE-2012-5088
|
| Created: | October 17, 2012 |
Updated: | November 21, 2012 |
| Description: |
From the Red Hat advisory:
It was discovered that the JMX component in OpenJDK could perform certain
actions in an insecure manner. An untrusted Java application or applet
could possibly use these flaws to disclose sensitive information.
(CVE-2012-5070, CVE-2012-5075)
The default Java security properties configuration did not restrict access
to certain com.sun.org.glassfish packages. An untrusted Java application
or applet could use these flaws to bypass Java sandbox restrictions. This
update lists those packages as restricted. (CVE-2012-5076, CVE-2012-5074)
Multiple improper permission check issues were discovered in the Beans,
Libraries, Swing, and JMX components in OpenJDK. An untrusted Java
application or applet could use these flaws to bypass Java sandbox
restrictions. (CVE-2012-5086, CVE-2012-5087, CVE-2012-5088, CVE-2012-5084,
CVE-2012-5089) |
| Alerts: |
|
Comments (none posted)
libvirt: denial of service
| Package(s): | libvirt |
CVE #(s): | CVE-2012-4423
|
| Created: | October 11, 2012 |
Updated: | November 20, 2012 |
| Description: |
From the Red Hat advisory:
A flaw was found in libvirtd's RPC call handling. An attacker able to
establish a read-only connection to libvirtd could use this flaw to crash
libvirtd by sending an RPC message that has an event as the RPC number, or
an RPC number that falls into a gap in the RPC dispatch table.
(CVE-2012-4423) |
| Alerts: |
|
Comments (none posted)
mozilla: code execution
| Package(s): | firefox, thunderbird, seamonkey, xulrunner |
CVE #(s): | CVE-2012-4193
|
| Created: | October 15, 2012 |
Updated: | October 17, 2012 |
| Description: |
From the Red Hat advisory:
A flaw was found in the way XULRunner handled security wrappers. A web page
containing malicious content could possibly cause an application linked
against XULRunner (such as Mozilla Firefox) to execute arbitrary code with
the privileges of the user running the application. |
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilities
| Package(s): | firefox, thunderbird, seamonkey |
CVE #(s): | CVE-2012-4191
CVE-2012-4192
|
| Created: | October 15, 2012 |
Updated: | October 17, 2012 |
| Description: |
From the CVE entries:
The mozilla::net::FailDelayManager::Lookup function in the WebSockets implementation in Mozilla Firefox before 16.0.1, Thunderbird before 16.0.1, and SeaMonkey before 2.13.1 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors. (CVE-2012-4191)
Mozilla Firefox 16.0, Thunderbird 16.0, and SeaMonkey 2.13 allow remote attackers to bypass the Same Origin Policy and read the properties of a Location object via a crafted web site, a related issue to CVE-2012-4193. (CVE-2012-4192) |
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilities
| Package(s): | firefox |
CVE #(s): | CVE-2012-3977
CVE-2012-3987
|
| Created: | October 17, 2012 |
Updated: | October 17, 2012 |
| Description: |
From the SUSE advisory:
CVE-2012-3977: Security researchers
Thai Duong and Juliano Rizzo reported that SPDY's request
header compression leads to information leakage, which can
allow the extraction of private data such as session
cookies, even over an encrypted SSL connection. (This does
not affect Firefox 10 as it does not feature the SPDY
extension. It was silently fixed for Firefox 15.)
CVE-2012-3987: Security researcher
Warren He reported that when a page is transitioned into
Reader Mode in Firefox for Android, the resulting page has
chrome privileges and its content is not thoroughly
sanitized. A successful attack requires user enabling of
reader mode for a malicious page, which could then perform
an attack similar to cross-site scripting (XSS) to gain the
privileges allowed to Firefox on an Android device. This
has been fixed by changing the Reader Mode page into an
unprivileged page. |
| Alerts: |
|
Comments (none posted)
optipng: code execution
| Package(s): | optipng |
CVE #(s): | CVE-2012-4432
|
| Created: | October 11, 2012 |
Updated: | October 17, 2012 |
| Description: |
From the SUSE Bugzilla entry:
A vulnerability has been reported in OptiPNG, which can be exploited by
malicious people to potentially compromise a user's system.
The vulnerability is caused due to a use-after-free error related to the
palette reduction functionality. No further information is currently
available.
Success exploitation may allow execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
perl-HTML-Template-Pro: cross-site scripting
| Package(s): | perl-HTML-Template-Pro |
CVE #(s): | CVE-2011-4616
|
| Created: | October 15, 2012 |
Updated: | October 22, 2012 |
| Description: |
From the CVE entry:
Cross-site scripting (XSS) vulnerability in the HTML-Template-Pro module before 0.9507 for Perl allows remote attackers to inject arbitrary web script or HTML via template parameters, related to improper handling of > (greater than) and < (less than) characters. |
| Alerts: |
|
Comments (none posted)
phpmyadmin: multiple vulnerabilities
| Package(s): | phpmyadmin |
CVE #(s): | |
| Created: | October 16, 2012 |
Updated: | October 29, 2012 |
| Description: |
From the phpMyAdmin advisories [1], [2]:
[1] Multiple XSS due to unescaped HTML output in Trigger, Procedure and Event pages. When creating/modifying a trigger, event or procedure with a crafted name, it is possible to trigger an XSS.
[2] Fetching the version information from a non-SSL site is vulnerable to a MITM attack. To display information about the current phpMyAdmin version on the main page, a piece of JavaScript is fetched from the phpmyadmin.net website in non-SSL mode. A man-in-the-middle could modify this script on the wire to cause mischief. |
| Alerts: |
|
Comments (none posted)
qt: CRIME attacks
| Package(s): | qt |
CVE #(s): | |
| Created: | October 15, 2012 |
Updated: | October 17, 2012 |
| Description: |
From the qt advisory:
A security vulnerability has been discovered in the SSL/TLS protocol, which affects connections using compression.
All versions of TLS are believed to be affected.
To address this, Qt will disable TLS compression by default.
If the attacker can insert data into the SSL connection, then by looking at the length of the compressed data it is possible to determine if the inserted data matches secret data or not. |
| Alerts: |
|
Comments (none posted)
roundcubemail: cross-site scripting
| Package(s): | roundcubemail |
CVE #(s): | CVE-2012-4668
|
| Created: | October 11, 2012 |
Updated: | October 17, 2012 |
| Description: |
From the Mageia advisory:
Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1 and
earlier allows remote attackers to inject arbitrary web script or HTML
via the signature in an email (CVE-2012-4668).
|
| Alerts: |
|
Comments (none posted)
ruby: access restriction bypass
| Package(s): | ruby1.8 |
CVE #(s): | CVE-2012-4481
|
| Created: | October 11, 2012 |
Updated: | March 8, 2013 |
| Description: |
From the Ubuntu advisory:
Shugo Maedo and Vit Ondruch discovered that Ruby incorrectly allowed untainted
strings to be modified in protective safe levels. An attacker could use this
flaw to bypass intended access restrictions. (CVE-2012-4466, CVE-2012-4481) |
| Alerts: |
|
Comments (none posted)
ruby: two access restriction bypass flaws
| Package(s): | ruby1.9.1 |
CVE #(s): | CVE-2012-4464
CVE-2012-4466
|
| Created: | October 11, 2012 |
Updated: | November 5, 2012 |
| Description: |
From the Ubuntu advisory:
Tyler Hicks and Shugo Maeda discovered that Ruby incorrectly allowed untainted
strings to be modified in protective safe levels. An attacker could use this
flaw to bypass intended access restrictions. (CVE-2012-4464, CVE-2012-4466) |
| Alerts: |
|
Comments (none posted)
wireshark: multiple vulnerabilities
| Package(s): | wireshark |
CVE #(s): | |
| Created: | October 11, 2012 |
Updated: | December 3, 2012 |
| Description: |
From the SUSE Bugzilla entry:
The HSRP dissector could go into an infinite loop.
wnpa-sec-2012-26 CVE-2012-5237
The PPP dissector could abort.
wnpa-sec-2012-27 CVE-2012-5238
Martin Wilck discovered an infinite loop in the DRDA dissector.
wnpa-sec-2012-28 CVE-2012-5239 CVE-2012-3548 (see bnc#778000)
Laurent Butti discovered a buffer overflow in the LDP dissector.
wnpa-sec-2012-29 CVE-2012-5240 |
| Alerts: |
|
Comments (none posted)
Page editor: Michael Kerrisk
Next page: Kernel development>>
