Risk
5/13/2011
04:34 PM
Connect Directly
RSS
E-Mail
50%
50%

Adobe Adds Flash Privacy Controls

Flash Player and Google Chrome get patches against attacks currently seen in the wild.

Recommended Reading:
-- Adobe Flash Attacks Exploit Zero-Day Vulnerability
-- Online Privacy Battles Advertising Profits

Adobe is aiming to make Flash safer for users, in part by blocking questionable website-tracking practices.

The company on Thursday released Flash Player version 10.3, which now enables users to wipe the data stored by Flash from within the browser. That capability is designed to help people block the use of persistent Flash cookies--also known as Local Shared Objects (LSOs)--which some advertisers use to surreptitiously track every website that a user visits, regardless of their cookie or cache settings.

The new plug-in-wiping feature is facilitated by an API known as NPAPI:ClearSiteData. "This new API allows the browsers to communicate a user's desire to wipe user data stored by installed browser plug-ins. Now, when users go into their browser settings to clear their browser history or clear their cookies, they will be able to clear both their browser data as well as their plug-in data," according to a blog post from Adobe.

Any browser plug-in can use the new API, though Flash is the first to do so. For open source browsers, the functionality is currently only available for Chrome developers, but Adobe said "we expect to have official support across all open source browsers in the near future." Meanwhile, Adobe also worked with Microsoft to develop an equivalent capability--now live--for Internet Explorer 8 and 9.

The use of persistent Flash cookies, however, may be waning. Adobe pointed to a January 2011 report from Carnegie Mellon University, commissioned by Adobe, which found that only two of the top 100 websites were using Flash cookies. A check of 500 websites randomly selected from a list of the million most popular sites in the U.S. found none. Interestingly, both of the sites that were using Flash cookies discontinued the practice, one on its own, and one after being contacted by the Center for Democracy and Technology, which helped with the study.

The updated Flash Player also patches multiple critical vulnerabilities present in Flash Player 10.2 for Windows, Macintosh, Linux, Solaris, and Android. "These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system," according to Adobe's security bulletin.

Related attacks utilizing Microsoft Word and Excel files with a malicious Flash (.swf) file embedded in them have been seen in the wild, targeting Windows. "However, to date, Adobe has not obtained a sample that successfully completes an attack," it said.

The revamped Flash Player also adds an operating system control panel--in Windows, Apple OS X, and Linux operating systems--for tweaking all Flash settings. Adobe said it's also introduced an automatic update notification for Macintosh users, which Windows users already had. "In the past, Mac users often had trouble keeping up with Flash Player updates since the Mac OS and Flash Player ship schedules are not in sync," Adobe said.

The Flash Player update has already been built into the latest version of Google Chrome, also released on Thursday. That version of Chrome also patches two critical vulnerabilities, one involving WebKit, the other involving scalable vector graphics filters. Both of the issues were discovered by Google.

According to vulnerability information service Vupen, the vulnerabilities relate to "integer overflows and memory corruptions in WebKit and Flash, which could be exploited by remote attackers to compromise a vulnerable system by convincing a user to visit a specially crafted Web page."

Interestingly, Vupen and Google are still tussling over Vupen's assertion that it hacked Chrome's sandbox from within the browser itself, using two zero-day vulnerabilities. But Google information security engineer and "full-disclosure" aficionado Tavis Ormandy said via a Twitter post that "Vupen misunderstood how sandboxing worked in chrome, and only had a flash bug."

For the moment, Vupen has only released details of the vulnerability to its government customers.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3304
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

CVE-2013-7409
Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

CVE-2014-3446
Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

CVE-2014-3584
Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

CVE-2014-3623
Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.