There oughta be a law, as they say, and now there is one in Utah. Yes,
Utah is first state in the US to pass
legislation banning certain kinds of spyware, the Spyware Control
Act, and they took a heap of criticism from the likes of
Microsoft and
even cuddlier companies like Google, Novell and Amazon, who tried
to block it from being passed, but failed. The governor just signed it last
week.
Why? What is in this bill that such a broad coalition of
companies took a look at it and didn't like what they saw?
The best place to go to understand the new law is Ben Edelman's page,
A Close Reading
of Utah's Spyware Control Act (H.B.323). He has a clear chart
showing in a creative way what the law says, with all its subclauses
visually laid out. He consulted with the Utah legislators who
prepared the bill, and his take on it is worth reading.
He was mightily surprised to see companies like Yahoo and AOL and
Amazon and all the rest united against this bill. He concludes they
have misunderstood the bill, and after researching it, I think that is
indeed part of the problem. Novell's Vice President and Deputy General
Counsel Ryan Richards wrote an Op Ed piece for the local paper about the
bill in mid-March, "'Spyware' Bill Would Hurt Net Use", where he lays out the objections
that he had to the bill and what he felt would be its unintended
consequences. Here's a bit of what he wrote: ". . . the bill in its
current form could potentially criminalize some of the most popular
consumer software on the market, including popular media players,
anti-virus programs, internet services, e-mail programs, and networking
software."
After reading the bill itself, however, I believe he misunderstood the
law, and I have concluded that the consequences are not unintended but
rather precisely what the legislators meant to achieve. They intended
that hidden spyware that transmits information about users without
their consent, be outlawed. It's a bit like the definition of spam.
"Legitimate" advertisers would like us to exempt their mailings from that
definition. Now they want us to exempt them from the definition
of spyware. The Utah legislators passed a bill that doesn't make that
distinction. They are telling all companies to just quit it.
Because Ed Felton's analysis
of the bill included the statement, "I have not seen specific
examples of legitimate software that would be affected," I asked
Novell's Bruce Lowry what products of theirs might be impacted by this
bill, if any. He replied that while the bill is written in a vague
enough way that he wasn't quite sure, one product might be ZENworks,
used to configure machines and update software, including security
patches, remotely. You can see a demonstration of ZENworks in a video
on Novell's coverage of its recent Brainshare conference. I
thought it looked like a wonderful product, but it does have to monitor
computer usage to work and it sends reports back to a remote server,
"both actions that would appear to make ZENworks 'spyware' under the
terms of the legislation," Lowry worries. "The language doesn't
distinguish between this type of high value, legitimate monitoring of
computer activity from those actions that the legislation is ostensibly
targeting - i.e. unsolicited advertising."
That would be an understandable worry, if he were correct that the law
outlawed that product and others like it. But my reading of the
statute convinces me that the bill only requires companies to let users
know how products like ZENworks do what they do, get user consent,
which presumably they already do, and make it possible to uninstall
ZENworks, if users want to later. How burdensome is that? Further,
Section 5 specifically excludes
"software designed and installed solely to diagnose or resolve
technical difficulties."
The strong reaction to this modest bill -- and you can read
a PDF letter written by the companies and organizations that united
to oppose it -- makes me heart-sinkingly sure that companies currently do
quite a bit of monitoring and that the bill is designed to solve a
runaway problem. Obviously, currently there is no law against
spyware, except in Utah, although there is a bill being prepared on the
federal level, and the FTC is holding hearings in April. Europe is
considerably
ahead of the US on privacy issues, maybe because
Madison Avenue is an American phenomenon.
Might Mr. Richards be referring to that popular media player of the
same name that the EU Commission just ordered Microsoft to unbundle,
for example? Considering Microsoft Media Player's
calling-home features, I'd say "probably." And while
everyone
has been talking about "benign" and
"important and beneficial Internet communication software", that
perennial favorite "stifling innovation", and the bill burdening users
with
notices, as if anybody cared about us anyhow, the truth is more likely to
be elsewhere. Might it be
that advertisers are worried about their income stream, and that at
least some of the objecting parties - who are also entertainment
purveyors - want to know exactly what everybody is up to with their music
and DVDs and intend to spy to the extent they think they can get
away with?
There is also a chilling statement in the letter
listing reasons the signatories oppose the bill: "The bill also would
create serious barriers to collection of data that Internet companies
and security companies use to analyze and prevent hacker attacks on the
Internet. This security problem is exacerbated by the fact that
computer hackers, and other criminals could refuse to consent to use
the software that law enforcement officials need to be able to conduct
investigations." What are they saying? That instead of getting court
orders to track criminals, which doesn't require their
permission,
law enforcement officials currently track everybody with
commercial spyware? That's the kind of revelation, if that's what
they meant, that
gives privacy lovers hives.
So, what does the bill outlaw?
First, what it doesn't outlaw. It doesn't say they can't spy on us
customers. They just have to tell us, in plain language, what they
intend to do and get our consent, and make it possible for us to
uninstall whatever we let them put on our computers,
if we later change our minds. Before you say no one would ever give
consent, think about Google's toolbar. A lot of folks trust Google,
and they say yes when Google asks if they can track them. And no,
Google's toolbar is not outlawed by this bill, because they comply
with the
notice and uninstall requirements already. Maybe that's why many trust
them.
Excluded from the definition of spyware, are programs that diagnose or
resolve technical problems, cookies, HTML code, and JavaScript used
to report info stored on the user's computer, and operating systems.
Plenty of wiggle room there. Anti-virus software and firewalls
typically come with licenses that tell you what they do and thus get
the necessary consent. The bill also outlaws intrusive ads that block
the user's view of "legitimate" paid ads and website content. The
liability for those who do it anyway is $10,000 per ad displayed, and
that is tripled if the jury thinks they did it on purpose.
There is a catch. The victim can't bring a lawsuit. Only website
owners, advertisers, and copyright and trademark owners (that elite
bunch that legislators adore to write laws for) can sue. The rest of
Utah's citizens must report violations to the Division of Consumer
Protection, and the agency follows through, hopefully. The Utah
legislators need to vote some funding if they are serious about
stamping out spyware in Utah.
Ben Edelman tells me it wouldn't surprise him to see exactly that
happen in coming years. "I think the bill reflects a good initial
attempt to protect consumers and web sites from the many negative
effects of spyware programs," he says, "and I think it offers a
sensible and
workable framework for doing so."
Remote buffer overflow vulnerabilities have been found in Courier-IMAP
and Courier MTA. These exploits may allow the execution of arbitrary
code, allowing unauthorized access to a vulnerable system.
The emil mail filter utility has buffer overflow and format string
vulnerabilities that can be exploited locally and remotely,
It may be possible to craft an email that exploits the vulnerability
and executes arbitrary code.
A remotely-exploitable overflow exists in versions of oftpd 0.3.6 and
earlier, allowing an attacker to crash the oftpd daemon. Issuing a port
command with a number higher than 255 causes the server to crash. The port
command may be issued before any authentication takes place, meaning the
attacker does not need to know a valid username and password in order to
exploit this vulnerability.
Versions of the OpenLDAP server through 2.1.12 suffer from a remotely exploitable denial of service vulnerability; some more information can be found in the OpenLDAP bug tracker.
Primoz Bratanic discovered a bug in libpam-psgl, a PAM module to
authenticate using a PostgreSQL database. The library does not escape all
user-supplied data that are sent to the database. An attacker could
exploit this bug to insert SQL statements.
A bug was found in the processing of %-encoded characters in a URL in
versions of Squid 2.5.STABLE4 and earlier. If a Squid configuration uses
Access Control Lists (ACLs), a remote attacker could create URLs that would
not be correctly tested against Squid's ACLs, potentially allowing clients
to access prohibited URLs.
TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet
display functions for the ISAKMP protocol. Upon receiving specially
crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the
packet capture buffer and crash. More information is available in this Rapid7 advisory.
A problem was discovered in Apache2 where CGI scripts that write more than
4k to the standard error stream will hang the script's execution. This problem can lead to a
denial of service situation. See this bug
report for additional details.
The ecartis mailing list manager (version 1.0) suffers from an input validation vulnerability which can result in the disclosure of list passwords. Ecartis also has several buffer overflow vulnerabilities. See this advisory for more information.
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash.
The Apache Software Foundation and the Apache HTTP Server Project have
announced the release of version 2.0.49 of the Apache HTTP Server
("Apache"). More on the vulnerabilities fixed in this release can be found
in this announcement.
kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix.
KDE has issued a security advisory for all
versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4
inclusive. A carefully crafted .VCF file potentially enables local
attackers to compromise the privacy of a victim's data or execute arbitrary
commands with the victim's privileges. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to
this issue.
A vulnerability was discovered in the Linux kernel versions 2.4.22 and
previous. A flaw in bounds checking in the do_brk() function can allow a
local attacker to gain root privileges. This vulnerability is known to be
exploitable.
The 2.4.23 kernel contains the fix. For more details on how this vulnerability works, see this LWN article.
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer.
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code.
Matthew Galgoci of Red Hat discovered a Denial of Service (DoS)
vulnerability in versions of Mailman prior to 2.1. An attacker could send
a carefully-crafted message causing mailman to crash. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0991 to this issue.
A vulnerability was discovered in Midnight Commander, a file manager,
whereby a malicious archive (such as a .tar file) could cause arbitrary
code to be executed if opened by Midnight Commander.
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability.
Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks.
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming).
A remotely exploitable buffer overflow vulnerability was found in
MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer
into executing arbitrary code upon parsing that header. Read the full advisory
for details.
mutt suffers from a buffer overflow in its "index menu" code. This overflow can be exploited via a hostile message to crash mutt and, perhaps, execute arbitrary code. Version 1.4.2 fixes the problem; see this advisory for details.
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information.
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool.
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation."
Paul Szabo discovered a number of bugs in suidperl, a helper
program to run perl scripts with setuid privileges. By exploiting
these bugs, an attacker could abuse suidperl to discover information
about files (such as testing for their existence and some of their
permissions) that should not be accessible to unprivileged users.
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
PWLib is a cross-platform class library designed to support the OpenH323
project. OpenH323 provides an implementation of the ITU H.323
teleconferencing protocol, used by packages such as Gnome Meeting.
A test suite for the H.225 protocol (part of the H.323 family) provided by
the NISCC uncovered bugs in PWLib prior to version 1.6.0. An attacker
could trigger these bugs by sending carefully crafted messages to an
application. The effects of such an attack can vary depending on the
application, but would usually result in a Denial of Service. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0097 to this issue.
Samba, a LanManager-like file and printer server for Unix, was found
to contain a vulnerability whereby a local user could use the "smbmnt"
utility, which is setuid root, to mount a file share from a remote
server which contained setuid programs under the control of the user.
These programs could then be executed to gain privileges on the local
system.
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability.
George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump
versions prior to 3.8.1. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0989 to this issue.
Jonathan Heusser discovered two additional flaws in the ISAKMP decoding
routines of tcpdump versions up to and including 3.8.1. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0057 to this issue.
Jonathan Heusser discovered a flaw in the print_attr_string function in the
RADIUS decoding routines for tcpdump 3.8.1 and earlier. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0055 to this issue.
Remote attackers could potentially exploit these issues by sending
carefully-crafted packets to a victim. If the victim uses tcpdump, these
packets could result in a denial of service, or possibly execute arbitrary
code as the 'pcap' user.
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
After some two years in the development process, the Open Source Vulnerability Database has
opened its virtual doors. "The Open Source Vulnerability Database (OSVDB) is an open project to collect and
distribute vulnerability information freely to everyone. The project team
contains skilled volunteers working together to document every security
vulnerability that arises."
