Blog entry by Les Bell

Les Bell
by Les Bell - Wednesday, July 5, 2023, 10:54 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Swedish Companies Fined for Using Google Analytics

In a heads-up for privacy professionals everywhere, the Swedish Authoruty for Privacy Protection (Integritetsskyddsmyndigheten - IMY) has fined two companies for using Google Analytics and warned one, along with two others, to bring their security measures into line with the requirements of the EU GDPR (General Data Protection Regulation).

The decision stems from ongoing concerns held by the EU over invasive US surveillance programs, such as PRISM and UPSTREAM, which could expose the personally identifiable information of EU residents which had been transferred to the US for processing by service providers. The US has attempted to assuage EU fears with the establishment of various compliance programs; initially a set of principles termed Safe Harbor, which was replaced in 2016 by the Privacy Shield framework. This establishes a list of companies to which EU firms could legally transfer PII; the list is maintained by the US Department of Commerce and compliance with its requirements is monitored by the US Federal Trade Commission.

However, in July 2020, the Court of Justice of the European Union declared the EU's Privacy Shield Decision invalid on account of invasive US surveillance, and stipulated stricter requirements for the transfer of data based on standard contract clauses (SCC's) which must provide data subjects a level of protection essentially equivalent to the EU GDPR and the EU Charter of Fundamental Rights. If the standard contract clauses are insufficient to do this, then EU companies which transfer PII to the US must implement additional safeguards to compensate.

Sweden's IMY has audited how four companies transfer personal data to the US via Google Analytics - specifically, a version of Google Analytics from 14 August 2020 - based on complaints from the organisation, None of Your Business (NOYB). IMY considers the data to be personal data because it can be linked with other unique data that is transferred (which is rather the point of targeted advertising analytics). The four companies based their decision to utilise Google Analytics on standard contract clauses, but after audit, IMY decided that none of the companies' additional technical security measures were sufficient.

The four companies involved are:

  • Tele2 SA, which was fined 12 million Swedish Krona
  • CDON AB, fined 300,000 Swedish Krona
  • Coop SA
  • Dagens Industri

Tele2 SA had already independently decided to stop using Google Analytics; the other three firms were ordered to stop and to implement adequate data protection mechanisms. This decision aligns with similar steps taken by authorities in Austria, France and Italy; Facebook parent Meta had previously been fined a record $U1.3 billion by the EU. All eyes are now turning to the finalization of a proposed replacement for Privacy Shield, to be called the EU-US Privacy Framework.

IMY, Four companies must stop using Google Analytics, news release, 3 July 2023. Available online at https://www.imy.se/en/news/four-companies-must-stop-using-google-analytics/.

noyb, noyb win: First major fine (€1 million) for using Google Analytics, news release, 3 July 2023. Available online at https://noyb.eu/en/noyb-win-first-major-fine-eu-1-million-using-google-analytics.

Ghostscript Feature Turns Bug, Then Turns Vulnerability

Since the release of the Apple Laserwriter back in the 1980's, the leading page description and graphics language for printers has been PostScript. It turns up everywhere: embedded into printers, but also as the underlying language for PDF, the Portable Document Format, used for document interchange near-universally. It is also an essential component of LaTeX, the technical editing and publishing system used by computer science academics and mathematicians for typesetting their work. In particular, a lot of technical graphics gets generated in the form of Postscript - particularly Encapsulated Postscript (.eps) files. And while there are plenty of PDF viewers to choose from, the majority of academics writing LaTeX will use Ghostscript to render and view .ps and .eps files.

Writing for Sophos' Naked Security blog, Paul Ducklin describes how a long-lived feature of the venerable Ghostscript program turned out to be not just a bug, but an exploitable vulnerability. On UNIX and Linux systems, print processing used to be done using shell scripts that would run a series of small text processing programs to generate whatever format the connected printer required - and to do this, they would pipe the output of one program into the next. This is a fundamental feature of the classic Software Tools concept that underlies UNIX - write small programs that each do one thing, and do it will, and then combine them to accomplish more complex tasks.

The combination is performed by using the I/O redirection features of the shell - that is, > to send the output of a program to a file, < to read the input of a program from a file, and | (the pipe symbol) to connect the output of one program into the input of the next, via an in-memory buffer. And it's not just UNIX that has this ability - Microsoft introduced it into MS-DOS 2.0 in the early 1980's (although being a single-tasking system, DOS had to run one program after the other and faked pipes via temporary files) and it lives on in Windows. Ghostscript is also often used in web applications, to generate downloadable documents from web pages.

It turns out that Ghostscript's PostScript implementation can open and write to files. And, like many UNIX programs, as well as simple file pathnames, it will accept strings that begin with the pipe symbol, |, and continue with a command into which the output will be written. In fact, this can be a complete command line, with options and arguments, etc. (Actually, the string %pipe% can also be used, in Ghostscript).

If you're a security pro, you should by now be thinking of various ways this can be used maliciously. In short, it will allow an innocuous PostScript, EPS or even PDF file to execute commands on the target system. However, this was only realized fairly recently, giving rise to CVE-2023-36664, which is finally fixed in Ghostscript 10.01.2. I say finally because, rushing to get a patch out the door, the maintainers' first attempt only checked for the %pipe% string, and it required a second attempt to also match the | symbol. This is not that unusual when programmers are under pressure to fix a vulnerability.

Ducklin, Paul, Ghostscript bug could allow rogue documents to run system commands, blog post, 4 July 2023. Available online at https://nakedsecurity.sophos.com/2023/07/04/ghostscript-bug-could-allow-rogue-documents-to-run-system-commands/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: