Security
Leaking browser history
Browser history is fairly sensitive information for most people. If there were a way for random web sites to grab a list of other sites you have visited recently, it would cause a fair amount of concern. Unfortunately, a longstanding problem in the HTML Document Object Model (DOM) makes for an information leak nearly as bad as that.
The problem stems from the handy feature that browsers implement to show you which links you have already visited. The way that they show links in a different color if you have visited them is by turning on the "visited" style for the link. Many sites, such as LWN, then change the default colors for both visited and non-visited links via the site's Cascading Style Sheet (CSS). This information gets recorded in the DOM for the page which can be queried from Javascript.
Because of the nature of the leak, scripts cannot get a full dump of the browser's history, but they can get the visited status for a set of sites they are interested in. A web site that wishes to gather this kind of information need only add a link to each site of interest—often in an unreadable font size or color—and send over a bit of Javascript to read the DOM status for each link.
While this problem has been known since at least 2002, there is no easy fix while still being compliant with the CSS standard. Because of that, most or all browsers are vulnerable. It has recently been in the news because it is being used in a benign, or at least semi-benign, way.
These days many news sites and blogs have small images that correspond to various social networking sites—digg, reddit and the like—that allow voting on particular stories or postings. Those images are buttons that register a vote or submission of the site that displays them. With the proliferation of these sites, a great deal of screen real estate was being taken up by these icons, many of which were not useful because the person viewing them never visited those particular sites.
To reduce the clutter, Aza Raskin created some Javascript code to determine which of the social networking sites a particular user had visited so that only the icons for those sites were displayed. Many people would find that to be a useful hack, one that was fairly minimally intrusive, which it is at some level. Others, with a more strict personal privacy desire, might find it more than a bit creepy.
Reducing clutter is one thing, but this technique can be used to gather much more sensitive information than which of the many social networking "news" sites you visit. It is tempting to remind readers of the NoScript Firefox extension, but it has become increasingly difficult to do nearly anything on the web without enabling Javascript. Many sites essentially hide their content behind a Javascript test, refusing to display it unless Javascript is enabled.
This makes it difficult to avoid giving away some of your browsing history to dodgy sites—or those with cross-site scripting vulnerabilities—other than by avoiding them entirely. It is an unfortunate side effect of a useful property that, as the discussion on the Mozilla bugzilla shows, will be difficult to completely eliminate. It should be noted that the links do not have to be obfuscated—by adding a dash of Javascript LWN could know whether you have visited digg or reddit. But, of course, we don't force Javascript on our readers.
New vulnerabilities
clamav: denial of service
| Package(s): | clamav | CVE #(s): | CVE-2008-2713 | ||||||||||||||||||||||||||||||||||||||||
| Created: | June 23, 2008 | Updated: | August 13, 2008 | ||||||||||||||||||||||||||||||||||||||||
| Description: | Versions of clamav prior to 0.93.1 can be made to perform an out-of-bounds read with a specially-crafted file, leading to a denial of service vulnerability. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
fetchmail: denial of service
| Package(s): | fetchmail | CVE #(s): | CVE-2008-2711 | ||||||||||||||||||||||||||||||||
| Created: | June 20, 2008 | Updated: | October 30, 2009 | ||||||||||||||||||||||||||||||||
| Description: | From the CVE entry: fetchmail 6.3.8 and earlier, when running in -v -v mode, allows remote attackers to cause a denial of service (crash and persistent mail failure) via a malformed mail message with long headers, which is not properly handled when using vsnprintf to format log messages. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
gallery: multiple vulnerabilities
| Package(s): | gallery | CVE #(s): | CVE-2008-2720 CVE-2008-2721 CVE-2008-2722 CVE-2008-2723 CVE-2008-2724 | ||||||||
| Created: | June 23, 2008 | Updated: | June 25, 2008 | ||||||||
| Description: | Gallery suffers from a number of vulnerabilities, including cross-site scripting, information disclosure, permission escalation, and authentication bypass. Version 2.2.5 fixes these problems; see the release announcement for details. | ||||||||||
| Alerts: |
| ||||||||||
horde: cross-site scripting
| Package(s): | horde | CVE #(s): | |||||||||
| Created: | June 25, 2008 | Updated: | June 25, 2008 | ||||||||
| Description: | The Horde application framework suffers from a cross-site scripting vulnerability which is exploitable by authenticated users. The 3.2.1 release fixes the problem. | ||||||||||
| Alerts: |
| ||||||||||
IBM JDK/JRE: multiple vulnerabilities
| Package(s): | ibm-jdk-bin | CVE #(s): | |||||
| Created: | June 25, 2008 | Updated: | June 25, 2008 | ||||
| Description: | The IBM Java development kit and runtime environment (prior to versions 1.5.0.7 and 1.4.2.11) suffer from a number of remotely-exploitable code execution vulnerabilities. | ||||||
| Alerts: |
| ||||||
kernel: information disclosure
| Package(s): | kernel | CVE #(s): | CVE-2008-2729 | ||||||||||||||||||||||||||||||||
| Created: | June 25, 2008 | Updated: | August 27, 2008 | ||||||||||||||||||||||||||||||||
| Description: | The kernel memory copy routines (on the x86_64 architecture only) do not always zero memory at the destination location, potentially leaking data. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
kernel: information disclosure
| Package(s): | kernel | CVE #(s): | CVE-2008-0598 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 25, 2008 | Updated: | September 1, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: Tavis Ormandy discovered a deficiency in the Linux kernel 32-bit and 64-bit emulation. This could allow a local unprivileged user to prepare and run a specially crafted binary, which would use this deficiency to leak uninitialized and potentially sensitive data. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2008-2365 | ||||||||||||
| Created: | June 25, 2008 | Updated: | July 16, 2008 | ||||||||||||
| Description: | A race condition in the ptrace() system call can be exploited by a local user to hang the system. | ||||||||||||||
| Alerts: |
| ||||||||||||||
nasm: off-by-one error
| Package(s): | nasm | CVE #(s): | CVE-2008-2719 | ||||||||
| Created: | June 23, 2008 | Updated: | October 1, 2008 | ||||||||
| Description: | From the CVE entry: Off-by-one error in the ppscan function (preproc.c) in Netwide Assembler (NASM) 2.02 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted file that triggers a stack-based buffer overflow. | ||||||||||
| Alerts: |
| ||||||||||
phpMyAdmin: cross-site scripting
| Package(s): | phpMyAdmin | CVE #(s): | |||||||||
| Created: | June 25, 2008 | Updated: | June 25, 2008 | ||||||||
| Description: | phpMyAdmin suffers from cross-site scripting vulnerabilities in several library scripts. From the advisory: "We were able to reproduce this only on systems where both of these conditions are true: the PHP register_globals setting is 'on' and the web server does not apply the settings contained in the .htaccess file that we placed in /libraries." | ||||||||||
| Alerts: |
| ||||||||||
ruby: multiple vulnerabilities
| Package(s): | ruby | CVE #(s): | CVE-2008-2662 CVE-2008-2663 CVE-2008-2664 CVE-2008-2725 CVE-2008-2726 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 25, 2008 | Updated: | December 17, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The ruby language suffers from a number of denial-of-service and code execution vulnerabilities; see this advisory for details. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
sblim: arbitrary code execution
| Package(s): | sblim | CVE #(s): | CVE-2008-1951 | ||||||||
| Created: | June 24, 2008 | Updated: | June 25, 2008 | ||||||||
| Description: | From the Red Hat advisory: It was discovered that certain sblim libraries had an RPATH (runtime library search path) set in the ELF (Executable and Linking Format) header. This RPATH pointed to a sub-directory of a world-writable, temporary directory. A local user could create a file with the same name as a library required by sblim (such as libc.so) and place it in the directory defined in the RPATH. This file could then execute arbitrary code with the privileges of the user running an application that used sblim (eg tog-pegasus). | ||||||||||
| Alerts: |
| ||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>