User: Password:
|
|
Subscribe / Log in / New account

Security

Another kind of cookie

By Jake Edge
October 29, 2008

It has become increasingly difficult to use the web without some kind of Flash player, but a little-known "feature" of Flash is causing some privacy concerns. In some ways, Local Shared Objects (LSOs aka Flash cookies) are similar to browser cookies, but there are a number of significant differences as well. In addition, because the dominant Flash player is closed-source, one must depend on Adobe's ability to faithfully implement the security model. In all, Flash cookies are something that web users should be cognizant of.

At its core, an LSO is a chunk of data that is stored on a user's disk based on the domain that the Flash program was downloaded from. Only Flash programs from that domain should have access to the data and, unlike browser cookies, much more data can be stored. By default, 100K bytes can be used per domain, which is a sizable increase from the 4K available for browser cookies. The amount of storage for a Flash cookie can be increased with the assent of the user, or decreased via the management interface.

Another major difference from the now-familiar browser cookies is that the interface for managing them is less-than-obvious. From a given Flash application, there is a "Settings" menu that allows control of the LSOs from that site. To see the sites that have stored Flash cookies or to have more global control over them, one must visit Adobe's site. There are also third-party applications and browser add-ons that will allow more control. A user can also resort to the ultimate control—removing them from the filesystem (~/.macromedia/Flash_Player/#SharedObjects).

There are many benign things that a Flash application might do with a bit of local storage—caching data, storing preferences, etc.—but they can also be used to track users in much the same way that browser cookies are used. Because Flash cookies are less well-known, and harder to manage, though, they may be more effective because they are removed or restricted less often.

Another important thing to note is that there is no requirement that there be a visible Flash application on the web site. A site could embed a Flash application with no visible elements simply to store a cookie. Unless the user has a browser add-on like NoScript, they will get no indication that anything has happened.

Assuming that there aren't any holes in Adobe's implementation of the Flash security model, Flash cookies aren't much different—or more dangerous—than browser cookies. But that assumption is a bit worrisome. For Firefox or other free software browsers, the code can be inspected to verify correct behavior. Either Flash or Firefox could have some flaw that allowed cross-site cookie access (which would be a rather nasty information disclosure vulnerability), but for Flash, we can only take Adobe's word.

Privacy advocates have been successful in getting the idea of deleting browser cookies into the consciousness of concerned users, but Flash cookies seem to have flown below the radar. A recent blog posting that was widely reported has helped to raise the profile of Flash cookies so that users will, hopefully, know that they exist. Those with a desire to strictly control their privacy will be better able to do so. With luck, it may also lead Adobe to provide an easier and more visible interface to manage them as well.

Comments (6 posted)

New vulnerabilities

cman: insecure temp file

Package(s):cman CVE #(s):CVE-2008-4192
Created:October 23, 2008 Updated:February 16, 2011
Description: cman has an insecure temp file vulnerability. From the Red Hat bug report:

A malicious user could precreate a symlink, pointing to the file /tmp/eglog, Subsequent run of the '/sbin/egenera' command would destroy / truncate the target of this link to zero length.

Alerts:
Red Hat RHSA-2011:0266-01 fence 2011-02-16
Ubuntu USN-875-1 redhat-cluster, redhat-cluster-suite 2009-12-18
Fedora FEDORA-2008-9458 gfs2-utils 2008-11-07
Fedora FEDORA-2008-9458 rgmanager 2008-11-07
Fedora FEDORA-2008-9458 cman 2008-11-07
Fedora FEDORA-2008-9042 cman 2008-10-23

Comments (none posted)

cman: insecure temp file

Package(s):cman CVE #(s):CVE-2008-4579
Created:October 23, 2008 Updated:February 16, 2011
Description: cman has an insecure temp file vulnerability. From the Red Hat bug report:

The fence_apc and fence_apc_snmp programs, as used in fence 2.02.00-r1 and possibly cman, when running in verbose mode, allows local users to append to arbitrary files via a symlink attack on the apclog temporary file.

Alerts:
Red Hat RHSA-2011:0266-01 fence 2011-02-16
Gentoo 201009-09 fence 2010-09-29
Ubuntu USN-875-1 redhat-cluster, redhat-cluster-suite 2009-12-18
CentOS CESA-2009:1341 cman 2009-09-15
Red Hat RHSA-2009:1341-02 cman 2009-09-02
Fedora FEDORA-2008-9458 gfs2-utils 2008-11-07
Fedora FEDORA-2008-9458 rgmanager 2008-11-07
Fedora FEDORA-2008-9458 cman 2008-11-07
Fedora FEDORA-2008-9042 cman 2008-10-23

Comments (none posted)

emacs: arbitrary code execution

Package(s):emacs CVE #(s):CVE-2008-3949
Created:October 28, 2008 Updated:February 24, 2009
Description: From the CVE entry: Emacs 22.1 and 22.2 imports Python script from the current working directory during editing of a Python file, which allows local users to execute arbitrary code via a Trojan horse Python file.
Alerts:
Gentoo 200902-06 emacs 2009-02-23
Mandriva MDVSA-2008:216 emacs 2008-10-27

Comments (none posted)

flash-plugin: several vulnerabilities

Package(s):flash-plugin CVE #(s):CVE-2008-3873 CVE-2008-4401 CVE-2008-4503
Created:October 28, 2008 Updated:November 14, 2008
Description: From the Red Hat advisory:

A flaw was found in the way Adobe Flash Player wrote content to the clipboard. A malicious SWF file could populate the clipboard with a URL that could cause the user to mistakenly load an attacker-controlled URL. (CVE-2008-3873)

A flaw was found which allowed Adobe Flash Player's ActionScript to initiate file uploads and downloads without user interaction. FileReference.browse and FileReference.download calls can now only be initiated via user interaction, such as mouse-clicks or key-presses on the keyboard. (CVE-2008-4401)

A flaw was found in Adobe Flash Player's display of the Settings Manager content. A malicious SWF file could trick the user into unknowingly clicking a link or dialog. This could then give the malicious SWF file permission to access the local machine's camera or microphone. (CVE-2008-4503)

Alerts:
SuSE SUSE-SR:2008:025 apache2, ipsec-tools, kernel-bigsmp, flash-player, mysql, ktorrent 2008-11-14
Red Hat RHSA-2008:0980-02 flash-plugin 2008-11-12
Red Hat RHSA-2008:0945-01 flash-plugin 2008-10-28

Comments (none posted)

kernel: restriction bypass

Package(s):kernel CVE #(s):CVE-2008-4554
Created:October 23, 2008 Updated:June 8, 2009
Description: The kernel has a restriction bypass vulnerability. From the Red Hat bug report:

Miklos Szeredi reported that splice() to files opened with O_APPEND are ignored, which allows users to bypass the append-only restriction.

Alerts:
SuSE SUSE-SA:2009:030 kernel 2009-06-08
CentOS CESA-2008:1017 kernel 2008-12-17
Red Hat RHSA-2008:1017-01 kernel 2008-12-16
Debian DSA-1687-1 linux-2.6 2008-12-15
Debian DSA-1681-1 linux-2.6.24 2008-12-04
Ubuntu USN-679-1 linux, linux-source-2.6.15/22 2008-11-27
Mandriva MDVSA-2008:224-1 kernel 2008-11-07
Mandriva MDVSA-2008:224 kernel 2008-11-04
Fedora FEDORA-2008-8929 kernel 2008-10-23
Fedora FEDORA-2008-8980 kernel 2008-10-23
Red Hat RHSA-2009:0009-02 kernel 2009-01-22
SuSE SUSE-SA:2009:003 kernel-debug 2009-01-20

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2008-4410
Created:October 23, 2008 Updated:October 29, 2008
Description: The kernel has a denial of service vulnerability. From the CVE description:

The vmi_write_ldt_entry function in arch/x86/kernel/vmi_32.c in the Virtual Machine Interface (VMI) in the Linux kernel 2.6.26.5 invokes write_idt_entry where write_ldt_entry was intended, which allows local users to cause a denial of service (persistent application failure) via crafted function calls, related to the Java Runtime Environment (JRE) experiencing improper LDT selector state, a different vulnerability than CVE-2008-3247.

Alerts:
SuSE SUSE-SA:2008:053 kernel 2008-10-27
Fedora FEDORA-2008-8929 kernel 2008-10-23
Fedora FEDORA-2008-8980 kernel 2008-10-23

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2008-3911 CVE-2008-4618
Created:October 27, 2008 Updated:January 22, 2009
Description:

From the SUSE advisory:

CVE-2008-3911: The proc_do_xprt function in net/sunrpc/sysctl.c in the Linux kernel 2.6.26.3 does not check the length of a certain buffer obtained from user space, which allows local users to overflow a stack-based buffer and have unspecified other impact via a crafted read system call for the /proc/sys/sunrpc/transports file.

CVE-2008-4618: Fixed a kernel panic in SCTP while process protocol violation parameter.

Alerts:
Debian DSA-1681-1 linux-2.6.24 2008-12-04
Ubuntu USN-679-1 linux, linux-source-2.6.15/22 2008-11-27
SuSE SUSE-SA:2008:053 kernel 2008-10-27
Red Hat RHSA-2009:0009-02 kernel 2009-01-22

Comments (none posted)

ktorrent: multiple vulnerabilities

Package(s):ktorrent CVE #(s):
Created:October 27, 2008 Updated:November 6, 2008
Description:

From the Fedora advisory:

Another bugfix release for the 3.1 series is out. This fixes several bugs : * A crash caused by a SIGBUS, when diskspace preallocation is disabled * High CPU usage when DNS lookups fail in the UDP tracker code * Several security issues in the webinterface plugin

Alerts:
Fedora FEDORA-2008-9267 ktorrent 2008-11-06
Fedora FEDORA-2008-9167 ktorrent 2008-10-24

Comments (none posted)

libspf2: buffer overflow

Package(s):libspf2 CVE #(s):CVE-2008-2469
Created:October 24, 2008 Updated:October 31, 2008
Description: From the Debian advisory: Dan Kaminsky discovered that libspf2, an implementation of the Sender Policy Framework (SPF) used by mail servers for mail filtering, handles malformed TXT records incorrectly, leading to a buffer overflow condition
Alerts:
Gentoo 200810-03 libspf2 2008-10-30
Debian DSA-1659-1 libspf2 2008-10-23

Comments (none posted)

lynx: multiple vulnerabilities

Package(s):lynx CVE #(s):CVE-2008-4690 CVE-2006-7234
Created:October 27, 2008 Updated:September 14, 2009
Description:

From the Red Hat advisory:

An arbitrary command execution flaw was found in the Lynx "lynxcgi:" URI handler. An attacker could create a web page redirecting to a malicious URL that could execute arbitrary code as the user running Lynx in the non-default "Advanced" user mode. (CVE-2008-4690)

A flaw was found in a way Lynx handled ".mailcap" and ".mime.types" configuration files. Files in the browser's current working directory were opened before those in the user's home directory. A local attacker, able to convince a user to run Lynx in a directory under their control, could possibly execute arbitrary commands as the user running Lynx. (CVE-2006-7234)

Alerts:
Gentoo 200909-15 lynx 2009-09-12
Fedora FEDORA-2008-9952 lynx 2008-12-03
Fedora FEDORA-2008-9550 lynx 2008-12-03
Fedora FEDORA-2008-9597 lynx 2008-12-03
Mandriva MDVSA-2008:217 lynx 2008-10-28
CentOS CESA-2008:0965 lynx 2008-10-27
Red Hat RHSA-2008:0965-01 lynx 2008-10-27
SuSE SUSE-SR:2009:002 imlib2, valgrind, kvm, cups, lynx, xterm 2009-01-19

Comments (none posted)

squirrelmail: session hijacking vulnerability

Package(s):squirrelmail CVE #(s):CVE-2008-3663
Created:October 23, 2008 Updated:May 13, 2009
Description: squirrelmail is vulnerable to session hijacking. From the Red Hat bug report:

Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

Alerts:
Mandriva MDVSA-2009:053 squirrelmail 2009-02-24
SuSE SUSE-SR:2009:004 apache, audacity, dovecot, libtiff-devel, libvirt, mediawiki, netatalk, novell-ipsec-tools,opensc, perl, phpPgAdmin, sbl, sblim-sfcb, squirrelmail, swfdec, tomcat5, virtualbox, websphere-as_ce, wine, xine-devel 2009-02-17
CentOS CESA-2009:0010 squirrelmail 2009-01-12
Red Hat RHSA-2009:0010-01 squirrelmail 2009-01-12
SuSE SUSE-SR:2008:028 clamav, IBM Java, freeradius, squirrelmail 2008-12-16
Fedora FEDORA-2008-9071 squirrelmail 2008-10-24
Fedora FEDORA-2008-8559 squirrelmail 2008-10-23

Comments (none posted)

wireshark: multiple vulnerabilities

Package(s):wireshark CVE #(s):CVE-2008-4680 CVE-2008-4681 CVE-2008-4682 CVE-2008-4683 CVE-2008-4684 CVE-2008-4685
Created:October 27, 2008 Updated:June 30, 2009
Description:

From the CVE entries:

CVE-2008-4680: packet-usb.c in the USB dissector in Wireshark 0.99.7 through 1.0.3 allows remote attackers to cause a denial of service (application crash or abort) via a malformed USB Request Block (URB).

CVE-2008-4681: Unspecified vulnerability in the Bluetooth RFCOMM dissector in Wireshark 0.99.7 through 1.0.3 allows remote attackers to cause a denial of service (application crash or abort) via unknown packets.

CVE-2008-4682: wtap.c in Wireshark 0.99.7 through 1.0.3 allows remote attackers to cause a denial of service (application abort) via a malformed Tamos CommView capture file (aka .ncf file) with an "unknown/unexpected packet type" that triggers a failed assertion.

CVE-2008-4683: The dissect_btacl function in packet-bthci_acl.c in the Bluetooth ACL dissector in Wireshark 0.99.2 through 1.0.3 allows remote attackers to cause a denial of service (application crash or abort) via a packet with an invalid length, related to an erroneous tvb_memcpy call.

CVE-2008-4684: packet-frame in Wireshark 0.99.2 through 1.0.3 does not properly handle exceptions thrown by post dissectors, which allows remote attackers to cause a denial of service (application crash) via a certain series of packets, as demonstrated by enabling the (1) PRP or (2) MATE post dissector.

CVE-2008-4685: Use-after-free vulnerability in the dissect_q931_cause_ie function in packet-q931.c in the Q.931 dissector in Wireshark 0.10.3 through 1.0.3 allows remote attackers to cause a denial of service (application crash or abort) via certain packets that trigger an exception.

Alerts:
Gentoo 200906-05 wireshark 2009-06-30
CentOS CESA-2009:0313 wireshark 2009-03-05
Red Hat RHSA-2009:0313-01 wireshark 2009-03-04
rPath rPSA-2008-0336-1 tshark 2008-12-11
Debian DSA-1673-1 wireshark 2008-11-29
SuSE SUSE-SR:2009:001 ethereal/wireshark, mysql, imap, rsyslog, courier-authlib, nfs-utils, libxml2, python, jhead, git, samba, vinagre, opera 2009-01-12
Mandriva MDVSA-2008:215 wireshark 2008-10-27

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds