|
-
January 26th, 2002, 07:08 PM
#1
Media Player, better than cookies
came accross this posted here:
http://cpc-net.org/cpc/main/article.php?sid=145
thought this might interest ppl here
New privacy-enhancing controls in Microsoft's Internet Explorer 6.0 can be rendered useless by a long-known security flaw in Windows Media Player, a noted security expert said Tuesday.
This week, computer privacy and security consultant Richard Smith warned that a unique ID created under default settings for the Windows Media Player provides a simple override for those measures. The flaw allows a malicious Web site to create what he described as a "supercookie" capable of tracking people using any version of Internet Explorer and Netscape Navigator, regardless of the privacy settings they choose.
"Using simple JavaScript code on a Web page, a Web site can grab the unique ID number of the Windows Media Player belonging to a Web site visitor," Smith said. "This ID number can then be used just like a cookie by Web sites to track a user's travels around the Web."
Although Microsoft has provided a fix to the flaw, Smith said the solution does not go far enough.
"There are many people who have never run Windows Media Player, yet they are still vulnerable to the problem," he said.
In Windows Media Player versions 6.4 and 7.1, people can turn off the option "Allow Internet Sites to uniquely identify your player" in their settings to stop potential tracking by creating a different number for each IE session. In addition, they can uninstall Windows Media Player or turn off JavaScript.
Smith, however, said many people may not make the connection that they need to tweak Windows Media Player, a free product that is distributed with most copies of the Windows operating system, to fix a privacy leak in IE.
In the past several months, for example, more than half a dozen security problems have been found with the latest version of Internet Explorer. Most recently, a security researcher revealed a bug in IE 6 that could let an attacker send an HTML e-mail, which in turn could steal cookies, allow access to files, or direct the victim to a false Web site.
All of the flaws drive a truck through Microsoft's efforts to promote privacy.
"The real issue is, here you have Microsoft spending time and money on promoting how wonderful P3P is, and there is a simple workaround," Smith said. "If Web sites get annoyed by too many people turning off cookies or using P3P, they can use supercookies instead, bypassing decisions users have made. It potentially becomes a game of spy vs. spy."
By Stefanie Olsen - News.com
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
