This week’s tip comes courtesy of the Security Now! podcast, a great weekly treatise on all things secure. This is a really cool tip, thanks to Steve Gibson for producing a very informative podcast!

There is a “diagnostic page” on Google, that consolidates malware reporting of a given domain or site based on Google’s crawling of the website. It will give a report on the website, indicating whether Google’s web crawling bots have detected malware in the site or any of its links. The diagnostic page is accessible using the following URL text:

http://www.google.com/safebrowsing/diagnostic?site=somedomain.com

Where you can substitute “somedomain.com” with any domain for which you wish to see a report. For example, if we run this against the New York Times, using the following URL:

http://www.google.com/safebrowsing/diagnostic?site=nytimes.com

We find that there is a record of malicious software found on one page of the site, which is consistent with the news reports surrounding that incident. Trying this diagnostic URL against other, more questionable sites, yields some often more colorful reporting. Go ahead, click the link to see the report. Cool!

This is one handy trick that I’ll keep up my sleeve, for use prior to browsing to questionable sites!

Browser Updates

Firefox has released version 3.5.3 (or 3.0.14 for those still using the legacy version). This version fixes several known security risks, as well as incorporating some stability fixes.

Google Chrome was updated to 3.0.195.1, incorporating stability fixes that have been in beta for the past few months.

Here are the latest current browser versions. Use Help > About… in your browser to verify you are up to date:

• Firefox: 3.5.3  or 3.0.14
• Chrome: 3.0.195.21

No changes since our last status update:

• Safari: 4.0.3
• Opera: 10.00
• Internet Explorer: 8.0.6001.18702
• Camino: 1.6.9

Adobe Software

Adobe’s next security maintenance release for Acrobat and Reader is planned for Tuesday, October 13. It is not clear whether there will be any update to Flash Player in the next security cycle.

That’s all for this week’s security update!

Complexity is the enemy of security, and today’s operating systems and the software we employ within them are incredibly complex… breeding grounds for programming errors, which can lead to security flaws.

What’s a poor person to do? How do you keep track of all this churn?

Keep your software up to date automatically, where possible, and check back here on Wednesdays where I’ll be keeping a pulse on the world of software security, and letting you know the straight scoop.

On today’s agenda – Windows monthly update, Snow Leopard introduction, and a summary of browser updates. Let’s start with Microsoft:

Microsoft Updates

On September 8, Microsoft released five critical patches, fixing seven security holes in Windows. Users with “automatic updates” enabled should be seeing these patches come through any time now. On the slate for this month:

• MS09-045 – A “critical” vulnerability in JScript Scripting Engine can allow remote code execution. This can be exploited by visiting a malicious website, and affects Windows 2000, XP, Vista, and Server 2003 and Server 2008.
• MS09-046 – A “critical” vulnerability in DHTML Editing Component ActiveX Control can allow remote code execution. This can be exploited by visiting a malicious website, and affects Windows 2000, and XP, and with “moderate” severity for Server 2003.
• MS09-047 – Two “critical” vulnerabilities in Windows Media Format can allow remote code execution. This can be exploited by playing a malicious mp3 or asf file, and affects Windows Media Format Runtime 9.0, Windows Media Format Runtime 9.5, Windows Media Format Runtime 11, Microsoft Media Foundation, Windows Media Services 9.1, and Windows Media Services 2008.
• MS09-048 – Three different vulnerabilities in Windows TCP/IP network handling protocol. Ratings range from “important” to “critical” depending on platform. Affects Windows 2000, Vista, and Server 2003 and Server 2008.
• MS09-049 – A “critical” vulnerability in Wireless LAN AutoConfig Service can allow remote code execution. Another remote code execution exploit affecting wireless clients or servers. Affects Windows Vista and Server 2008.

In addition, Microsoft released an update for Microsoft Silverlight, an update to the Outlook Junk Email filter, updates to Genuine Advantage for Office, and the latest version of their Malicious Software Removal Tool.

Make sure you stay up to date! Many of these flaws are already being exploited today!

Apple Updates

By now, almost everyone with a Mac has heard about Snow Leopard, Mac OS X 10.6. If you haven’t already upgraded, I’d recommend caution… stay away until things have stabilized a bit. However, if you’ve already taken the plunge, there are some things you need to know:

• For some unknown reason, Apple shipped Snow Leopard with an older version of Adobe Flash Player. The retail version of the OS comes with version 10.0.23.1, while the current version is actually 10.0.32.18. This has the unfortunate effect of downgrading your system, even if you were completely up to date prior to installing Snow Leopard. Further, the older version is vulnerable to several flaws that are being exploited in the wild. So, the first thing you’ll want to do, is head over to Adobe’s Flash Version tester, and refresh your Flash Player if needed.
• Also in Snow Leopard, Apple included a malware scanner in the operating system intended to check for certain known families of malicious software. This is intended to make the system safer and is a good move for the future, but I’m not convinced it is enough reason to upgrade just yet.

Adobe software users will also be interested in Snow Leopard’s interaction with the Creative Suite, version CS3 and CS4. Several issues have bubbled to the surface, from compatibility problems to crashes to color space changes, so you might want to head over to John Nack’s blog, or Adobe’s CS4 FAQ page with Snow Leopard information, to check the latest compatibility information.

Browser Updates

It’s time to shift gears and talk about browsers for a bit!

First up is Firefox, whose makers at Mozilla recently announced that its browser would *automatically* check for Flash Player updates from now on. This is a welcome change, and means that many users who were using vulnerable versions of Flash Player will get automatically upgraded. This will be introduced in the forthcoming version 3.5.3 and 3.0.14.

Also in browser news this past week, Opera version 10 was released, and I was quite impressed as I tried it out! It is simple, clean, elegant – and fast! Quite zippy, in fact. Some of the new features, such as Speed Dial and built in anti-malware protection, as well as a revamped tabbed interface, are quite good. I recommend giving it a spin, you’ll be impressed!

To summarize the state of major browser revisions, here is where you should be. You should be able to check your browser version with “Help > About…”:

• Internet Explorer: 8.0.6001.18702
• Firefox: 3.5.2 or 3.0.13 (watch for a new release coming soon!)
• Opera: 10.00
• Safari: 4.0.3
• Chrome: 2.0.172.43
• Camino: 1.6.9

Check your browsers, and make sure you are up to date!

That’s all for this week (or, should I say, that’s “enough” for this week?) Keep that software up to date, and check back here on Wednesdays when we’ll bring you the latest security news you can use. Have a security question? Leave a comment or drop me an email, and I’ll do my best to help you out!

A recent study at UC Berkeley, a government inquiry, and several recent news articles have combined to highlight a new privacy concern, as well as some underhanded tricks that web tracking companies are using to monitor internet user activity. Using Adobe’s Flash Player, web sites now have the ability to track users using a concept similar to browser cookies – and up to now, this has been done silently, without notification, and in some cases even after individual users have “opted out” of cookie tracking.

In fact, the study showed that more than 50% of the top 100 internet sites used Flash data to “re-spawn” cookies that had been intentionally cleared, deleted, or blocked by users.

Here’s an experiment you can try. Take a look at the following folder in your system, to see what sites are using Flash data to maintain tracking information on your system:

In Windows XP:

C:\Documents and Settings\{yourname}\Application Data\Macromedia\Flash Player\#SharedObjects

In Windows Vista:

C:\Users\{yourname}\AppData\Roaming\Macromedia\Flash Player\#SharedObjects

In Mac OS/X:

~/Library/Preferences/Macromedia/Flash Player/#SharedObjects/

In either case, look in the subfolder with a random name, and you’ll be amazed at what you find.

The idea of using Flash Player to store tracking information isn’t new, but it has spawned a hidden system for tracking user activity in a way that is neither self-evident, nor easily managed. Read on for some background and suggestions in how to deal with this situation.

If you want to skip the gory details and just know how to prevent this, skip to the section near the end, titled “Adobe’s Flash Player Settings Application.”

Read on…

Concept of a browser cookie

Once upon a time, a very long time ago in web years (about 1994), early developers of internet Web tools came across the challenge of keeping track of multiple users of a web site. They developed a technology that would allow the web server to know whether a particular user had previously visited their site. This would allow the server to display different content based on the visitor’s history, and led to many new ways of conducting Web business, most notably e-commerce (the original “shopping cart” concept). Thus was born the “cookie.”

A browser cookie isn’t much more than a very small amount of data, usually something like a serial number, that identifies a site visitor. The actual user-specific data is managed on the server, and the cookie is the link that lets the visitor’s browser talk to the server and allow the server to keep track of the visitor’s status – logged in, items in shopping cart, site display preferences, etc.

Almost as soon as cookies were developed, watchful groups became concerned over the potential privacy violations; ways that companies (or individuals) could misuse the browser as a tool to keep track of users and their browsing habits. Browsers were updated to allow users to block cookies entirely, or to clear them from history, and the game was on.

Third party cookies and privacy concerns

In many cases, today’s web sites are composed of content from multiple servers and locations, notably servers different from the ones to which we’ve requested a connection. Consider the ubiquitous advertisement pane that pops up on many pages – this advertisement is coming from another server, a “third party” to you and the hosting server. The advertising company serving the banner uses cookies to know whether it has served you an ad, and it may adjust its content based on your browsing history.

These types of third party cookies created a whole new area of concern, and most modern web browsers now include a setting in which you can completely block third party cookies, while allowing regular cookies to be passed between you and the site you are visiting. If you don’t have this blocking active already, please consider doing so right now!

Cookie management in browsers

Here is an example of the cookie management feature in Internet Explorer, and Firefox (Windows):

Note that in both cases, the browser clearly allows you to accept or block all cookies, and also makes a provision to block only third-party cookies while accepting first-party cookies. Other browsers have similar settings.

If you don’t already have these settings made, I recommend blocking third-party cookies as a privacy measure. This is my personal opinion, but is shared by many in the computing security field.

The Local Shared Object (aka “Flash Cookie”)

Now that you’ve got your cookie blocking active, here comes the curve ball.

Adobe’s Flash Player allows web sited to store information similar to a cookie on your machine. Adobe euphemistically refers to this data as a “Local Shared Object,” but most people refer to this as a “Flash Cookie,” and indeed it shares many traits with browser cookies:

• An LSO can store data from the server
• An LSO can be used to maintain state for user management (tracking, commerce, session management, etc)

However, the LSO has some very key differences from browser cookies:

• An LSO has no expiration date
• An LSO can be very large (up to 10 Mb) in contrast to a browser cookie’s 4kb
• An LSO can not be blocked or cleared by any setting within the browser

Scared yet?

The study and results

A recent study by UC Berkeley reviewed the characteristics of 100 top web sites, as ranked by QuantCast. This study concluded that both HTTP and Flash Cookies were ubiquitous among top web sites, and over 50% of the sites surveyed were using Flash as well as HTTP cookies for various purposes. Further, the study found that Flash data was being used to reinstate, or “re-spawn,” cookie data that had been deleted or blocked by users. This included cookie data that was specifically subject to “opt-out” settings in accordance with the Network Advertising Initiative process.

I don’t know about you, but I don’t care to have companies re-spawning anything on my system after I’ve deleted it. This sounds WAY too much like malware behavior.

Adobe’s Flash Player Settings Application

Are you ready to stop the insanity? OK, let’s see how we can put an end to this nonsense. As I mentioned in the beginning, the solution is neither self-evident, nor easily managed. Here’s the kicker:

There is no settings panel within the Flash Player.

That’s right, it doesn’t exist at all. Not in the browser. Not in the player. How, then, do we manage the Flash Player settings? Why, we go to macromedia.com, of course. Didn’t you know that? (Sarcasm intended).

Here’s the entry link, spelled out, just for fun, and below that is a small snapshot of the page you get when you go there:

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html

What an odd place to locate the Flash Player Settings Manager. The oddest thing is, this page *is* the settings manager – there is no application, it is the page itself. Notice the fine print below the small image:

Am I wrong in thinking that, if your app needs a notice below it saying, “this is not an image, this is the actual Settings Manager,” there might be some room for improvement here?

The bottom line is that this is what Adobe has provided, obviously a relic from Macromedia days… so let’s dig in and look at some of the settings. Notice the row of icons across the top, there are actually 6 separate pages to this app, one for each tab. First is the "Global Privacy Settings” which controls your camera and microphone. You can set it to “always deny” or to “always ask” for permission to use your microphone and camera. Spooky…

Next up, we’ll go to the second tab, and here’s where it gets interesting:

In Global Storage settings, the default size for LSOs is 100Kb, but it will grow if needed. You can set it to a lower setting, or move it all the way to the left for 0kb… no storage (although an empty “cookie” is still created).

Notice that “Allow third party Flash content” is ON by default. I recommend turning this OFF!

You can explore the other tabs, but we’re going to jump over to the fourth tab, titled “Website Privacy Settings.” Pay dirt!

In here, we can see a list of all the sites that have installed Flash content on your computer. Some are relatively harmless (the kuler.adobe.com site stores my kuler settings) and others are obviously tracking cookie engines. Again, you can set “always ask,” “always allow,” or “always deny,” but given that I’ve never had a site like quantserve ask my permission to install LSOs on my machine, I chose to “Delete all sites.”

Notice that there isn’t any sign of an “OK” or “make it so” button, so we must assume that clicking these settings has an immediate effect on Flash Player.

Conclusions and Recommendations

Having Local Shared Objects accessible by Flash Player allows many rich internet features, and enables intelligent applications to provide a broad and engaging user experience. However, the potential for abuse is far too open in the current Flash Player incarnation. The fact that the settings application is on a seemingly deprecated Macromedia website, and not readily available within the application, is an oversight that must be remedied, and soon. The results of the UC Berkeley study demonstrate that this feature is already widely abused.

Adobe, please give us a settings panel accessible from the right click context menu in Flash Player. Also, please embrace the TNO (“trust no one”) philosophy, by having the default for third party content be “opt-out.” We have to make these types of things easy for the common users – I don’t want to have to explain these settings to my parents.

That’s all I have to say about that. I’d love to hear your comments!