Security
Another kind of cookie
It has become increasingly difficult to use the web without some kind of Flash player, but a little-known "feature" of Flash is causing some privacy concerns. In some ways, Local Shared Objects (LSOs aka Flash cookies) are similar to browser cookies, but there are a number of significant differences as well. In addition, because the dominant Flash player is closed-source, one must depend on Adobe's ability to faithfully implement the security model. In all, Flash cookies are something that web users should be cognizant of.
At its core, an LSO is a chunk of data that is stored on a user's disk based on the domain that the Flash program was downloaded from. Only Flash programs from that domain should have access to the data and, unlike browser cookies, much more data can be stored. By default, 100K bytes can be used per domain, which is a sizable increase from the 4K available for browser cookies. The amount of storage for a Flash cookie can be increased with the assent of the user, or decreased via the management interface.
Another major difference from the now-familiar browser cookies is that the interface for managing them is less-than-obvious. From a given Flash application, there is a "Settings" menu that allows control of the LSOs from that site. To see the sites that have stored Flash cookies or to have more global control over them, one must visit Adobe's site. There are also third-party applications and browser add-ons that will allow more control. A user can also resort to the ultimate control—removing them from the filesystem (~/.macromedia/Flash_Player/#SharedObjects).
There are many benign things that a Flash application might do with a bit of local storage—caching data, storing preferences, etc.—but they can also be used to track users in much the same way that browser cookies are used. Because Flash cookies are less well-known, and harder to manage, though, they may be more effective because they are removed or restricted less often.
Another important thing to note is that there is no requirement that there be a visible Flash application on the web site. A site could embed a Flash application with no visible elements simply to store a cookie. Unless the user has a browser add-on like NoScript, they will get no indication that anything has happened.
Assuming that there aren't any holes in Adobe's implementation of the Flash security model, Flash cookies aren't much different—or more dangerous—than browser cookies. But that assumption is a bit worrisome. For Firefox or other free software browsers, the code can be inspected to verify correct behavior. Either Flash or Firefox could have some flaw that allowed cross-site cookie access (which would be a rather nasty information disclosure vulnerability), but for Flash, we can only take Adobe's word.
Privacy advocates have been successful in getting the idea of deleting browser cookies into the consciousness of concerned users, but Flash cookies seem to have flown below the radar. A recent blog posting that was widely reported has helped to raise the profile of Flash cookies so that users will, hopefully, know that they exist. Those with a desire to strictly control their privacy will be better able to do so. With luck, it may also lead Adobe to provide an easier and more visible interface to manage them as well.
New vulnerabilities
cman: insecure temp file
| Package(s): | cman | CVE #(s): | CVE-2008-4192 | ||||||||||||||||||||||||
| Created: | October 23, 2008 | Updated: | February 16, 2011 | ||||||||||||||||||||||||
| Description: | cman has an insecure temp file vulnerability. From the Red Hat
bug report:
A malicious user could precreate a symlink, pointing to the file /tmp/eglog, Subsequent run of the '/sbin/egenera' command would destroy / truncate the target of this link to zero length. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
cman: insecure temp file
| Package(s): | cman | CVE #(s): | CVE-2008-4579 | ||||||||||||||||||||||||||||||||||||
| Created: | October 23, 2008 | Updated: | February 16, 2011 | ||||||||||||||||||||||||||||||||||||
| Description: | cman has an insecure temp file vulnerability. From the Red Hat
bug report:
The fence_apc and fence_apc_snmp programs, as used in fence 2.02.00-r1 and possibly cman, when running in verbose mode, allows local users to append to arbitrary files via a symlink attack on the apclog temporary file. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
emacs: arbitrary code execution
| Package(s): | emacs | CVE #(s): | CVE-2008-3949 | ||||||||
| Created: | October 28, 2008 | Updated: | February 24, 2009 | ||||||||
| Description: | From the CVE entry: Emacs 22.1 and 22.2 imports Python script from the current working directory during editing of a Python file, which allows local users to execute arbitrary code via a Trojan horse Python file. | ||||||||||
| Alerts: |
| ||||||||||
flash-plugin: several vulnerabilities
| Package(s): | flash-plugin | CVE #(s): | CVE-2008-3873 CVE-2008-4401 CVE-2008-4503 | ||||||||||||
| Created: | October 28, 2008 | Updated: | November 14, 2008 | ||||||||||||
| Description: | From the Red Hat advisory:
A flaw was found in the way Adobe Flash Player wrote content to the clipboard. A malicious SWF file could populate the clipboard with a URL that could cause the user to mistakenly load an attacker-controlled URL. (CVE-2008-3873) A flaw was found which allowed Adobe Flash Player's ActionScript to initiate file uploads and downloads without user interaction. FileReference.browse and FileReference.download calls can now only be initiated via user interaction, such as mouse-clicks or key-presses on the keyboard. (CVE-2008-4401) A flaw was found in Adobe Flash Player's display of the Settings Manager content. A malicious SWF file could trick the user into unknowingly clicking a link or dialog. This could then give the malicious SWF file permission to access the local machine's camera or microphone. (CVE-2008-4503) | ||||||||||||||
| Alerts: |
| ||||||||||||||
kernel: restriction bypass
| Package(s): | kernel | CVE #(s): | CVE-2008-4554 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 23, 2008 | Updated: | June 8, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The kernel has a restriction bypass vulnerability.
From the Red Hat
bug report:
Miklos Szeredi reported that splice() to files opened with O_APPEND are ignored, which allows users to bypass the append-only restriction. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2008-4410 | ||||||||||||
| Created: | October 23, 2008 | Updated: | October 29, 2008 | ||||||||||||
| Description: | The kernel has a denial of service vulnerability. From the
CVE description:
The vmi_write_ldt_entry function in arch/x86/kernel/vmi_32.c in the Virtual Machine Interface (VMI) in the Linux kernel 2.6.26.5 invokes write_idt_entry where write_ldt_entry was intended, which allows local users to cause a denial of service (persistent application failure) via crafted function calls, related to the Java Runtime Environment (JRE) experiencing improper LDT selector state, a different vulnerability than CVE-2008-3247. | ||||||||||||||
| Alerts: |
| ||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2008-3911 CVE-2008-4618 | ||||||||||||||||
| Created: | October 27, 2008 | Updated: | January 22, 2009 | ||||||||||||||||
| Description: | From the SUSE advisory: CVE-2008-3911: The proc_do_xprt function in net/sunrpc/sysctl.c in the Linux kernel 2.6.26.3 does not check the length of a certain buffer obtained from user space, which allows local users to overflow a stack-based buffer and have unspecified other impact via a crafted read system call for the /proc/sys/sunrpc/transports file. CVE-2008-4618: Fixed a kernel panic in SCTP while process protocol violation parameter. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
ktorrent: multiple vulnerabilities
| Package(s): | ktorrent | CVE #(s): | |||||||||
| Created: | October 27, 2008 | Updated: | November 6, 2008 | ||||||||
| Description: | From the Fedora advisory: Another bugfix release for the 3.1 series is out. This fixes several bugs : * A crash caused by a SIGBUS, when diskspace preallocation is disabled * High CPU usage when DNS lookups fail in the UDP tracker code * Several security issues in the webinterface plugin | ||||||||||
| Alerts: |
| ||||||||||
libspf2: buffer overflow
| Package(s): | libspf2 | CVE #(s): | CVE-2008-2469 | ||||||||
| Created: | October 24, 2008 | Updated: | October 31, 2008 | ||||||||
| Description: | From the Debian advisory: Dan Kaminsky discovered that libspf2, an implementation of the Sender Policy Framework (SPF) used by mail servers for mail filtering, handles malformed TXT records incorrectly, leading to a buffer overflow condition | ||||||||||
| Alerts: |
| ||||||||||
lynx: multiple vulnerabilities
| Package(s): | lynx | CVE #(s): | CVE-2008-4690 CVE-2006-7234 | ||||||||||||||||||||||||||||||||
| Created: | October 27, 2008 | Updated: | September 14, 2009 | ||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: An arbitrary command execution flaw was found in the Lynx "lynxcgi:" URI handler. An attacker could create a web page redirecting to a malicious URL that could execute arbitrary code as the user running Lynx in the non-default "Advanced" user mode. (CVE-2008-4690) A flaw was found in a way Lynx handled ".mailcap" and ".mime.types" configuration files. Files in the browser's current working directory were opened before those in the user's home directory. A local attacker, able to convince a user to run Lynx in a directory under their control, could possibly execute arbitrary commands as the user running Lynx. (CVE-2006-7234) | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
squirrelmail: session hijacking vulnerability
| Package(s): | squirrelmail | CVE #(s): | CVE-2008-3663 | ||||||||||||||||||||||||||||
| Created: | October 23, 2008 | Updated: | May 13, 2009 | ||||||||||||||||||||||||||||
| Description: | squirrelmail is vulnerable to session hijacking.
From the Red Hat
bug report:
Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
wireshark: multiple vulnerabilities
| Package(s): | wireshark | CVE #(s): | CVE-2008-4680 CVE-2008-4681 CVE-2008-4682 CVE-2008-4683 CVE-2008-4684 CVE-2008-4685 | ||||||||||||||||||||||||||||
| Created: | October 27, 2008 | Updated: | June 30, 2009 | ||||||||||||||||||||||||||||
| Description: | From the CVE entries: CVE-2008-4680: packet-usb.c in the USB dissector in Wireshark 0.99.7 through 1.0.3 allows remote attackers to cause a denial of service (application crash or abort) via a malformed USB Request Block (URB). CVE-2008-4681: Unspecified vulnerability in the Bluetooth RFCOMM dissector in Wireshark 0.99.7 through 1.0.3 allows remote attackers to cause a denial of service (application crash or abort) via unknown packets. CVE-2008-4682: wtap.c in Wireshark 0.99.7 through 1.0.3 allows remote attackers to cause a denial of service (application abort) via a malformed Tamos CommView capture file (aka .ncf file) with an "unknown/unexpected packet type" that triggers a failed assertion. CVE-2008-4683: The dissect_btacl function in packet-bthci_acl.c in the Bluetooth ACL dissector in Wireshark 0.99.2 through 1.0.3 allows remote attackers to cause a denial of service (application crash or abort) via a packet with an invalid length, related to an erroneous tvb_memcpy call. CVE-2008-4684: packet-frame in Wireshark 0.99.2 through 1.0.3 does not properly handle exceptions thrown by post dissectors, which allows remote attackers to cause a denial of service (application crash) via a certain series of packets, as demonstrated by enabling the (1) PRP or (2) MATE post dissector. CVE-2008-4685: Use-after-free vulnerability in the dissect_q931_cause_ie function in packet-q931.c in the Q.931 dissector in Wireshark 0.10.3 through 1.0.3 allows remote attackers to cause a denial of service (application crash or abort) via certain packets that trigger an exception. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>