Security
Browser tracking through "canvas fingerprinting"
Recently, public attention has been called to a new online user-tracking method that is purported to be nearly impossible to block. Called "canvas fingerprinting," the technique relies on forcing the browser to generate an image on the client side of the connection—an image that is unique enough to serve as a fingerprint for the browser that created it. In fact, the basis for this fingerprinting approach is several years old, but it does now seem to be in use in the wild. Whether or not it truly amounts to an insurmountable blocking challenge, however, remains to be seen.
ProPublica was among the first to report the discovery of the technique, in an article dated July 21. The tracker was discovered running on multiple high-traffic web sites, and was served by the web-tracking vendor AddThis. AddThis's user-visible feature is the appearance of click-and-share-this-link buttons that connect to various social-media services; the web-tracking function that accompanies said buttons is not advertised, of course.
The new tracker uses the HTML5 <canvas> element,
telling the user's browser to draw a hidden image containing the text
"Cwm fjordbank glyphs vext quiz
"—which is a
pangram in English,
containing every letter of the alphabet. The text is rendered in the
<canvas> element multiple times, in different colors
and overlapping—and differences in the graphics stacks of
different computers will produce slightly different results. That, plus the variations in
browser-window size, text-rendering settings, and other variables,
mean that the resulting image, when rasterized, will exhibit a
considerable amount of variation from one browser to the next. It can
thus be sent back to the originating server (via the
ToDataUrl method) to serve as a fingerprint
to track the browser between different sites and repeat visits.
Inquisitive users can visit the browserleaks.com page that tests <canvas> support to tell whether or not they are susceptible to this form of fingerprinting.
Although the AddThis fingerprinting tracker appears to be the first of its kind, the concept of canvas fingerprinting is not new. It was first described in detail in a 2012 paper written by Keaton Mowery and Hovav Shacham. The paper describes tests performed both with text rendering and by creating an image with WebGL. It goes into considerable detail about what parts of the browser and graphics stack contribute to differences in the resulting rendered image.
On the OpenGL side, the authors noted differences in the antialiasing algorithm, the interpolation of textures, and the illumination calculated for the OpenGL light source that is pointed at the image. In the text component, even though all text elements were rendered in the Arial font, there were discernible differences between the version of Arial used, the sub-pixel hinting, spacing, and antialiasing.
Ultimately, Mowery and Shacham estimated that their tests revealed an entropy of 5.73 bits, but noted that the tests were not sophisticated and that further refinement could yield better results. This is not an insignificant amount of entropy, but it is worth putting in context. The Panopticlick project from the Electronic Frontier Foundation (EFF) notes that the average browser fingerprint it observes contains 18.1 bits of entropy or more, which is enough to uniquely identify one browser out of roughly 280,000. An additional 5.73 bits pushes that number to one in 14.6 million.
Thus, even the relatively modest entropy accounted for in Mowery and Shacham's research can constitute a real threat to individual privacy when it is used in conjunction with other techniques. But the AddThis canvas fingerprinting technique may have improved on the 2012 research in other ways. ProPublica attributed the discovery of the new AddThis tracker to a team of researchers at KU Leuven University in Belgium and Princeton University in the United States. The team's findings have been published on the web, but the code and data have not yet been released—although the researchers have said it will be made public shortly.
On the other hand, assessing the real-world implications of this new flavor of web tracker requires determining how difficult it is to defeat. ProPublica titled its article on the find "Meet the Online Tracking Device That is Virtually Impossible to Block," but that would appear to overstate matters. Tor implemented a canvas-fingerprinting blocker in the Tor Browser Bundle in 2012. The EFF told MediaPost that its recent update to the Privacy Badger extension will block the AddThis tracker along with other social-media-based trackers. And commenters on many web articles about the find have also reported that the tracker can be defeated by the usual options like NoScript or by disabling JavaScript entirely.
The ProPublica article does mention tracker-blocking options in a
sidebar, although it labels them with discouraging warnings like
"can be slow
" and "requires a lot of research and
decision-making
". Users who are attuned to the risks of
browser-tracking and the steps necessary to combat it may find such
commentary objectionable. But then again, it is the "average user"
who makes up the bulk of the population that AddThis and other
web-tracking companies will be collecting data from. Reality is,
unfortunately, that a great many users cannot or will not take steps
to improve their privacy beyond whatever ships by default in the
browser. Even if canvas fingerprinting fails to catch on, the contest
to capture those user's movements through the web will undoubtedly
just move on to the next user-tracking idea.
Brief items
Security quotes of the week
Finally, a task called file_relay allows Apple to remotely dump your address book, voicemail recordings, calendar, SMS messages, screenshots, e-mail accounts, and so on.
I challenge anyone technical to read the details [PDF] and not conclude that iOS is deliberately designed to support spying.
Docker security with SELinux (Opensource.com)
Dan Walsh looks at container security, on Opensource.com. "I hear and read about a lot of people assuming that Docker containers actually sandbox applications—meaning they can run random applications on their system as root with Docker. They believe Docker containers will actually protect their host system [...] Stop assuming that Docker and the Linux kernel protect you from malware."
New vulnerabilities
acpi-support: privilege escalation
| Package(s): | acpi-support | CVE #(s): | CVE-2014-1419 | ||||||||||||
| Created: | July 23, 2014 | Updated: | August 12, 2014 | ||||||||||||
| Description: | From the Debian advisory:
CESG discovered a root escalation flaw in the acpi-support package. An unprivileged user can inject the DBUS_SESSION_BUS_ADDRESS environment variable to run arbitrary commands as root user via the policy-funcs script. | ||||||||||||||
| Alerts: |
| ||||||||||||||
cups: privilege escalation
| Package(s): | cups | CVE #(s): | CVE-2014-3537 | ||||||||||||||||||||||||||||||||||||||||
| Created: | July 21, 2014 | Updated: | July 28, 2014 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla:
It was discovered that a local user with privileges of group=lp can write symbolic links in the rss directory and use that to gain '@SYSTEM' group privilege with cupsd. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
httpd: multiple vulnerabilities
| Package(s): | httpd | CVE #(s): | CVE-2014-0118 CVE-2014-0226 CVE-2014-0231 CVE-2013-4352 CVE-2014-0117 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 23, 2014 | Updated: | April 13, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the "apache" user. (CVE-2014-0226) A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the "DEFLATE" input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system. (CVE-2014-0118) A denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely. (CVE-2014-0231) A NULL pointer dereference flaw was found in the mod_cache httpd module. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP Server was used as a forward proxy with caching. (CVE-2013-4352) A denial of service flaw was found in the mod_proxy httpd module. A remote attacker could send a specially crafted request to a server configured as a reverse proxy using a threaded Multi-Processing Modules (MPM) that would cause the httpd child process to crash. (CVE-2014-0117) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
java-1.7.0-oracle: multiple unspecified vulnerabilities
| Package(s): | java-1.7.0-oracle | CVE #(s): | CVE-2014-4208 CVE-2014-4220 CVE-2014-4227 CVE-2014-4264 CVE-2014-4265 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 18, 2014 | Updated: | July 23, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entries: CVE-2014-4208: Unspecified vulnerability in the Java SE component in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4220. CVE-2014-4220: Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4208. CVE-2014-4227: Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. CVE-2014-4264: Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect availability via unknown vectors related to Security. CVE-2014-4265: Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2014-4652 CVE-2014-4653 CVE-2014-4654 CVE-2014-4655 CVE-2014-4656 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 17, 2014 | Updated: | July 30, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the SUSE advisory:
CVE-2014-4652: Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allows local users to obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. (bnc#883795) CVE-2014-4653: sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not ensure possession of a read/write lock, which allows local users to cause a denial of service (use-after-free) and obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. (bnc#883795) CVE-2014-4654: The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not check authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allows local users to remove kernel controls and cause a denial of service (use-after-free and system crash) by leveraging /dev/snd/controlCX access for an ioctl call. (bnc#883795) CVE-2014-4655: The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not properly maintain the user_ctl_count value, which allows local users to cause a denial of service (integer overflow and limit bypass) by leveraging /dev/snd/controlCX access for a large number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls. (bnc#883795) CVE-2014-4656: Multiple integer overflows in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allow local users to cause a denial of service by leveraging /dev/snd/controlCX access, related to (1) index values in the snd_ctl_add function and (2) numid values in the snd_ctl_remove_numid_conflict function. (bnc#883795) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2014-4943 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 17, 2014 | Updated: | August 7, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Sasha Levin reported a flaw in the Linux kernel's point-to-point protocol (PPP) when used with the Layer Two Tunneling Protocol (L2TP). A local user could exploit this flaw to gain administrative privileges. (CVE-2014-4943) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel-rt: information leak
| Package(s): | kernel-rt | CVE #(s): | CVE-2014-4027 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 23, 2014 | Updated: | July 23, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
The rd_build_device_space function in drivers/target/target_core_rd.c in the Linux kernel before 3.14 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from ramdisk_mcp memory by leveraging access to a SCSI initiator. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
lz4: denial of service/possible code execution
| Package(s): | lz4 | CVE #(s): | CVE-2014-4715 | ||||||||||||
| Created: | July 17, 2014 | Updated: | July 25, 2014 | ||||||||||||
| Description: | From the CVE entry:
Yann Collet LZ4 before r119, when used on certain 32-bit platforms that allocate memory beyond 0x80000000, does not properly detect integer overflows, which allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted Literal Run, a different vulnerability than CVE-2014-4611. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mozilla: multiple vulnerabilities
| Package(s): | firefox thunderbird seamonkey | CVE #(s): | CVE-2014-1547 CVE-2014-1555 CVE-2014-1556 CVE-2014-1557 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 23, 2014 | Updated: | August 11, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2014-1547, CVE-2014-1555, CVE-2014-1556, CVE-2014-1557) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
mozilla: multiple vulnerabilities
| Package(s): | firefox thunderbird seamonkey | CVE #(s): | CVE-2014-1548 CVE-2014-1549 CVE-2014-1550 CVE-2014-1561 CVE-2014-1558 CVE-2014-1559 CVE-2014-1560 CVE-2014-1552 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 23, 2014 | Updated: | January 26, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Christian Holler, David Keeler, Byron Campen, Gary Kwong, Jesse Ruderman, Andrew McCreight, Alon Zakai, Bobby Holley, Jonathan Watt, Shu-yu Guo, Steve Fink, Terrence Cole, Gijs Kruitbosch and Cătălin Badea discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2014-1548) Atte Kettunen discovered a buffer overflow when interacting with WebAudio buffers. An attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2014-1549) Atte Kettunen discovered a use-after-free in WebAudio. An attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2014-1550) David Chan and Gijs Kruitbosch discovered that web content could spoof UI customization events in some circumstances, resulting in a limited ability to move UI icons. (CVE-2014-1561) Christian Holler discovered several issues when parsing certificates with non-standard character encoding, resulting in the inability to use valid SSL certificates in some circumstances. (CVE-2014-1558, CVE-2014-1559, CVE-2014-1560) Boris Zbarsky discovered that network redirects could cause an iframe to escape the confinements defined by its sandbox attribute in some circumstances. An attacker could potentially exploit this to conduct cross-site scripting attacks. (CVE-2014-1552) | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
mysql: unidentified vulnerabilities
| Package(s): | mysql-5.5 | CVE #(s): | CVE-2014-2494 CVE-2014-4207 CVE-2014-4258 CVE-2014-4260 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 17, 2014 | Updated: | July 28, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Multiple security issues were discovered in MySQL and this update includes a new upstream MySQL version to fix these issues. MySQL has been updated to 5.5.38. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes.
Please see the following for more information: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
nss: code execution
| Package(s): | nss | CVE #(s): | CVE-2014-1544 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 23, 2014 | Updated: | November 12, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
A race condition was found in the way NSS verified certain certificates. A remote attacker could use this flaw to crash an application using NSS or, possibly, execute arbitrary code with the privileges of the user running that application. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ocsinventory: cross-site scripting
| Package(s): | ocsinventory | CVE #(s): | CVE-2014-4722 | ||||||||||||||||
| Created: | July 21, 2014 | Updated: | August 8, 2014 | ||||||||||||||||
| Description: | From the CVE entry:
Multiple cross-site scripting (XSS) vulnerabilities in the OCS Reports Web Interface in OCS Inventory NG allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
openjdk-6: unspecified vulnerability
| Package(s): | openjdk-6 | CVE #(s): | CVE-2014-4268 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 18, 2014 | Updated: | September 2, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Swing. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
php-ZendFramework: SQL injection
| Package(s): | php-ZendFramework | CVE #(s): | CVE-2014-4914 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 22, 2014 | Updated: | August 6, 2014 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Zend framework advisory:
The implementation of the ORDER BY SQL statement in Zend_Db_Select of Zend Framework 1 contains a potential SQL injection when the query string passed contains parentheses. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
polarssl: denial of service
| Package(s): | polarssl | CVE #(s): | CVE-2014-4911 | ||||||||||||||||||||
| Created: | July 18, 2014 | Updated: | August 6, 2014 | ||||||||||||||||||||
| Description: | From the Debian advisory: A flaw was discovered in PolarSSL, a lightweight crypto and SSL/TLS library, which can be exploited by a remote unauthenticated attacker to mount a denial of service against PolarSSL servers that offer GCM ciphersuites. Potentially clients are affected too if a malicious server decides to execute the denial of service attack against its clients. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
privoxy: privoxy requires privoxyd
| Package(s): | privoxy | CVE #(s): | |||||
| Created: | July 21, 2014 | Updated: | July 23, 2014 | ||||
| Description: | From the openSUSE advisory:
privoxy-3.0.16-networkmanager.systemd.patch: update Networkmanager dispatcher to reload config of privoxy with systemd (bnc#862339) | ||||||
| Alerts: |
| ||||||
Page editor: Jake Edge
Next page:
Kernel development>>