Security
Browser fingerprinting
Browser fingerprinting is apparently on the rise, at least partly to help advertisers evade "do not track" cookie restrictions. The technique is not new; the Electronic Frontier Foundation (EFF) popularized it with the announcement of its Panopticlick fingerprinting tool back in 2010. But marketing firms and advertisers are preparing for a future where fewer web users are willing to be tracked via cookies—or are just out to pick up that extra few percent of the more savvy surfers.
The idea is simple: browsers expose a fair amount of identifying information in normal operation. That includes the User-Agent string and the Accept string (which are both included in HTTP headers). Browser capability queries via JavaScript add an enormous amount of identifying information including screen size and depth, time zone, browser plugins, system fonts, and so on. Those last two, in particular, are often fairly distinct, all of which adds up to a unique (or nearly) fingerprint for a particular user's browser.
Tracking a user across multiple sites then just becomes an exercise in matching fingerprints. That suggests that those who do not wish to be subject to that kind of tracking should seek to have their browser look as common as possible. If your browser is unique in the 3.5 million that Panopticlick has seen (as mine is when JavaScript is enabled for eff.org), it will be far easier to track than a browser that has the same fingerprint as one in every 28,286—how my browser appears with JavaScript disabled. But even the latter may not be much of a defense if some other information (e.g. IP address, timing correlations) are added into the mix.
Clearly disabling JavaScript wherever possible—NoScript to the rescue—will help, but it isn't always possible to do so (and it seems to get less and less possible as time goes on). Limiting what kinds of information are available via JavaScript (and CSS) may help. The biggest differences between my browser and the others Panopticlick has tested is in the plugins and the fonts, for example.
Tor has taken that approach with its Tor Browser Bundle. It limits the properties that users can change, limits plugins, and only allows a certain number of fonts to be presented. That increases the set of browsers with the same fingerprint, though there is a balance to be struck. If Tor browser fingerprints are too similar, it makes identifying Tor users easier, which may have its own set of impacts.
Much like the "do not track" effort for cookie-base tracking, the advertising trade groups are trying to come up with an opt-out scheme for non-cookie tracking. As the article mentions, that's both good and bad: it will be nice to have a way to turn off that tracking (at least for compliant advertisers), but it may also legitimize fingerprinting as a way to track users.
It may not only be advertisers who are using fingerprinting, however, and the US National Security Agency (NSA) or other secret services are unlikely to pay attention to any kind of opt-out mechanism. As ars technica noted, the NSA specifically mentioned better fingerprinting in a now-famous presentation entitled "Tor Stinks".
In addition, some security researchers in Belgium have looked into the practice of fingerprinting to see how widespread it is today. Their paper [PDF] claims that 97 sites among the top 10,000 were using JavaScript fingerprinting, and, amusingly, 404 among the top million sites were using the technique. The full list is not available, evidently due to legal concerns, but Orbitz, T-Mobile UK, PokerStrategy.com, and others were listed as using fingerprinting. What, exactly, they use it for is unclear.
Like many things on the internet, fingerprinting is essentially an escalation. Cookie-based tracking may be getting less effective, so something was needed to fill that information gap. Spam and malware have followed similar paths, with some deploying countermeasures that lead to a change in tactics from the spammers and malware purveyors to work around them.
Tracking is in something of a category of its own. One could argue that web site owners are providing a free service that costs them real money, so they should be able to do what they wish with the information gathered (actively or passively) from connections made to their sites. Most would agree that goes too far, but tracking is not as clearly "wrong" as malware or spam. But, for privacy purposes, preventing tracking is critical. One expects that we will be seeing more anti-fingerprinting efforts in browsers before too long.
Brief items
Security quotes of the week
So consider this a good research exercise for all budding cryptanalysts out there.
From a purely technological standpoint, these two scenarios are exactly the same: an employee copies user data and gives it to an outside party. Only two things are different: the employee’s motivation, and the destination of the data after it leaves the company. Neither of these differences is visible to the company’s technology—it can’t read the employee’s mind to learn the motivation, and it can’t tell where the data will go once it has been extracted from the company’s system. Technical measures that prevent one access scenario will unavoidably prevent the other one.
Google: Going beyond vulnerability rewards
Google is now offering between $500 and $3,133.7 for security improvements to core free software. That includes projects like OpenSSH, OpenSSL, BIND, libjpeg, Blink, Chromium, the Linux kernel, and more. Expansion into toolchains, web servers, SMTP servers, and VPN is planned. Patches should be submitted to the upstream project and, once they are merged, to Google for evaluation. The official rules have more details. "So we decided to try something new: provide financial incentives for down-to-earth, proactive improvements that go beyond merely fixing a known security bug. Whether you want to switch to a more secure allocator, to add privilege separation, to clean up a bunch of sketchy calls to strcat(), or even just to enable ASLR - we want to help!"
Why Android SSL was downgraded from AES256-SHA to RC4-MD5 in late 2010 (op-co.de)
A site called "op-co.de" has a look at how Android chooses SSL ciphers and an explanation why a shift was made to a less secure cipher in the 2.3 release. "So what the fine Google engineers did to reduce our security was merely to copy what was there, defined by the inventors of Java!"
New vulnerabilities
clutter: authentication bypass
| Package(s): | clutter | CVE #(s): | CVE-2013-2190 | ||||||||||||
| Created: | October 11, 2013 | Updated: | October 18, 2013 | ||||||||||||
| Description: | From the Novell bugzilla entry: A security flaw was found in the way Clutter, an open source software library for creating rich graphical user interfaces, used to manage translation of hierarchy events in certain circumstances (when underlying device disappeared, causing XIQueryDevice query to throw an error). Physically proximate attackers could use this flaw for example to obtain unauthorized access to gnome-shell session right after system resume (due to gnome-shell crash). | ||||||||||||||
| Alerts: |
| ||||||||||||||
drupal: multiple vulnerabilities
| Package(s): | drupal6 | CVE #(s): | CVE-2012-0825 CVE-2012-0826 CVE-2012-5652 CVE-2013-0244 CVE-2013-0245 | ||||
| Created: | October 14, 2013 | Updated: | October 16, 2013 | ||||
| Description: | From the Debian advisory:
Multiple vulnerabilities have been been fixed in the Drupal content management framework, resulting in information disclosure, insufficient validation, cross-site scripting and cross-site request forgery. | ||||||
| Alerts: |
| ||||||
ejabberd: SSLv2 and weak cipher use
| Package(s): | ejabberd | CVE #(s): | |
| Created: | October 11, 2013 | Updated: | October 16, 2013 |
| Description: | From the Debian advisory: It was discovered that ejabberd, a Jabber/XMPP server, uses SSLv2 and weak ciphers for communication, which are considered insecure. The software offers no runtime configuration options to disable these. This update disables the use of SSLv2 and weak ciphers. | ||
| Alerts: | (No alerts in the database for this vulnerability) | ||
elinks: does not properly verify SSL certificates
| Package(s): | elinks | CVE #(s): | |||||||||||||||||
| Created: | October 14, 2013 | Updated: | January 22, 2014 | ||||||||||||||||
| Description: | From the Red Hat bugzilla:
A Debian bug report indicated that Links does not properly verify SSL certificates. If you visit a web site with an expired SSL certificate, Links will only display "SSL error" without any indication as to what the error was. This, in and of itself, is not a flaw however when testing, I found that when you go to a site with a valid SSL certificate, but for a different hostname (for example, if you go to https://alias.foo.com which might be a CNAME or a proxy for https://foo.com) Links will connect without any errors or warnings. Doing the same in a browser like Google Chrome, however, reports "You attempted to reach alias.foo.com, but instead you actually reached a server identifying itself as foo.com." and allows you to either proceed or not, before loading the site. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
gnupg: denial of service
| Package(s): | gnupg | CVE #(s): | CVE-2013-4402 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 10, 2013 | Updated: | November 13, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mageia advisory: Special crafted input data may be used to cause a denial of service against GPG. GPG can be forced to recursively parse certain parts of OpenPGP messages ad infinitum (CVE-2013-4402). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
icu: denial of service
| Package(s): | icu | CVE #(s): | CVE-2013-2924 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 16, 2013 | Updated: | June 10, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
Use-after-free vulnerability in International Components for Unicode (ICU), as used in Google Chrome before 30.0.1599.66 and other products, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2013-4387 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 10, 2013 | Updated: | June 9, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla entry: Linux kernel built with the IPv6 protocol(CONFIG_IPV6) support and an Ethernet driver(ex. virtio-net) which has a UDP Fragmentation Offload(UFO) feature ON is vulnerable to NULL pointer dereference flaw. It could occur while sending a large messages over an IPv6 connection. Though the crash occurs while sending messages, it could be triggered by a remote client by requesting larger data from a server. An unprivileged user/program could use this flaw to crash the kernel, resulting in DoS. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libapache2-mod-fcgid: code execution
| Package(s): | libapache2-mod-fcgid | CVE #(s): | CVE-2013-4365 | ||||||||||||||||||||||||||||||||||||||||
| Created: | October 14, 2013 | Updated: | February 10, 2014 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Robert Matthews discovered that the Apache FCGID module, a FastCGI implementation for Apache HTTP Server, fails to perform adequate boundary checks on user-supplied input. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
libtar: code execution
| Package(s): | libtar | CVE #(s): | CVE-2013-4397 | ||||||||||||||||||||||||||||||||||||||||
| Created: | October 11, 2013 | Updated: | February 21, 2014 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: Two heap-based buffer overflow flaws were found in the way libtar handled certain archives. If a user were tricked into expanding a specially-crafted archive, it could cause the libtar executable or an application using libtar to crash or, potentially, execute arbitrary code. (CVE-2013-4397) Note: This issue only affected 32-bit builds of libtar. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
mozilla-nss: unspecified impact
| Package(s): | mozilla-nss | CVE #(s): | CVE-2013-1739 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 11, 2013 | Updated: | December 17, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Novell bugzilla entry: Bug 894370 - (CVE-2013-1739) Avoid uninitialized data read in the event of a decryption failure. [ NSS bug 894370 is closed at the time of this writing. ] | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
php-pecl-xhprof: cross-site scripting
| Package(s): | php-pecl-xhprof | CVE #(s): | |||||||||
| Created: | October 10, 2013 | Updated: | October 16, 2013 | ||||||||
| Description: | From the Fedora adivsory: Fix reflected XSS with run parameter. | ||||||||||
| Alerts: |
| ||||||||||
polarssl: insecure RSA private key
| Package(s): | polarssl | CVE #(s): | CVE-2013-5915 | ||||||||||||||||||||||||||||
| Created: | October 14, 2013 | Updated: | June 20, 2014 | ||||||||||||||||||||||||||||
| Description: | From the PolarSSL advisory:
The researchers Cyril Arnaud and Pierre-Alain Fouque investigated the PolarSSL RSA implementation and discovered a bias in the implementation of the Montgomery multiplication that we used. For which they then show that it can be used to mount an attack on the RSA key. Although their test attack is done on a local system, there seems to be enough indication that this can properly be performed from a remote system as well. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
quagga: code execution
| Package(s): | quagga | CVE #(s): | CVE-2013-2236 | ||||||||||||||||||||
| Created: | October 10, 2013 | Updated: | November 26, 2013 | ||||||||||||||||||||
| Description: | From the quagga-dev bug report: While processing the received LSAs, we crash with gdb backtrace points to memcpy called from new_msg_lsa_change_notify. By code review, I see that we memcpy into a buffer with a length we learned from the input, not governed by the length of the available buffer. In my patch, I suggest that we govern the memcpy by the length of the available buffer. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
qemu: privilege escalation
| Package(s): | qemu | CVE #(s): | CVE-2013-4344 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 14, 2013 | Updated: | February 7, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
Buffer overflow in the SCSI implementation in QEMU, as used in Xen, when a SCSI controller has more than 256 attached devices, allows local users to gain privileges via a small transfer buffer in a REPORT LUNS command. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
systemd: multiple vulnerabilities
| Package(s): | systemd | CVE #(s): | CVE-2013-4391 CVE-2013-4394 | ||||||||
| Created: | October 14, 2013 | Updated: | December 13, 2016 | ||||||||
| Description: | From the Debian advisory:
Multiple security issues in systemd have been discovered by Sebastian Krahmer and Florian Weimer: Insecure interaction with DBUS could lead to the bypass of Policykit restrictions and privilege escalation or denial of service through an integer overflow in journald and missing input sanitising in the processing of X keyboard extension (XKB) files. | ||||||||||
| Alerts: |
| ||||||||||
typo3-src: cross-site scripting
| Package(s): | typo3-src | CVE #(s): | CVE-2013-1464 | ||||
| Created: | October 11, 2013 | Updated: | October 16, 2013 | ||||
| Description: | From the Debian advisory: Markus Pieton and Vytautas Paulikas discovered that the embedded video and audio player in the TYPO3 web content management system is [susceptible] to cross-site-scripting. | ||||||
| Alerts: |
| ||||||
xen: information leak
| Package(s): | xen | CVE #(s): | CVE-2013-4355 CVE-2013-4361 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 14, 2013 | Updated: | December 9, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entries:
Xen 4.3.x and earlier does not properly handle certain errors, which allows local HVM guests to obtain hypervisor stack memory via a (1) port or (2) memory mapped I/O write or (3) other unspecified operations related to addresses without associated memory. (CVE-2013-4355) The fbld instruction emulation in Xen 3.3.x through 4.3.x does not use the correct variable for the source effective address, which allows local HVM guests to obtain hypervisor stack information by reading the values used by the instruction. (CVE-2013-4361) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
xorg-server: code execution
| Package(s): | xorg-server | CVE #(s): | CVE-2013-4396 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 15, 2013 | Updated: | October 31, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
Use-after-free vulnerability in the doImageText function in dix/dixfonts.c in the xorg-server module before 1.14.4 in X.Org X11 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted ImageText request that triggers memory-allocation failure. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>