Tuesday, 4 August 2009

GarageBand v5.1: Tracking Cookie Security Patch

--
Apple is now offering an update via 'Software Update' to GarageBand version 5.1, available for users of Mac OS X 10.5.7. You can read about the included security patch HERE.

To quote Apple:

Impact: A user's web activity may be tracked by third parties and advertisers.

Description
: When GarageBand is opened, Safari's preferences are changed to always accept cookies. The default preference is to accept cookies only for the sites being visited. The altered setting may allow third parties and advertisers to track a user's web activity. This update addresses the issue by not changing the preference setting. Users who have run previous versions of GarageBand should confirm that their Safari preferences are set as desired.


What's going on:

GarageBand is allowing what are called 'Tracking Cookies' to be accepted by Safari. This type of cookie is used for marketing purposes to watch your individual behavior on the net. IOW you are under surveillance. This is essentially the same as having a chip implanted in your brain that collects data on your interests. It triggers off advertisements that 'fit your interests' as you visit further web pages. I personally find this form of marketing to be invasive and disrespectful. I never allow it.

If you think you've been messed over by this bug in GarageBand, here is what I suggest:

1) Update to GarageBand v5.1.

2) Just to be safe, make a backup of Safari's 'Cookies.plist' file. You will find it here:

~/Library/Cookies/Cookies.plist

3) As Apple suggests, go into Safari's Preferences and hit the 'Security' tab. Change the 'Accept cookies' setting to "Only from sites I visit". This stops any 3rd party cookies from being dumped into your browser, killing off any chance of being infected with Tracking Cookies.

4) Click the "Show Cookies" button. It is just below the settings in #2.

5) Either painstakingly go through your cookies and 'Remove' those you don't want, or simply hit the 'Remove All' button. This makes certain that all Tracking Cookies have been deleted along with all your other cookies.

There are of course complications after tossing your cookies. The most common result is not being able to automatically log in to sites where you have an account or membership. If you haven't kept track of all your IDs and passwords then you're hosed and will have to create new accounts. My solution is to keep a personal list of my net IDs and passwords in text file stored on the encrypted .DMG volume that loads when I log into my user account. I also keep my IDs and passwords encrypted inside the application 1Password, which is a shareware super form of keychain. I've mentioned it here on the blog several times.

In the worst case scenario where you MUST have something that was stored in your cookies, you can always swap back in your backed up Cookies.plist file from step #2 above.

Tracking Cookies aren't actually malware, and having a few buried in your cookie pile won't kill you. Nonetheless, they are a form of spyware. They are also IMHO of no benefit to anyone but marketing companies.
--

No comments:

Post a Comment

Search