Richard Smith, president of Phar Lap Software, said he came across the security flaw in the operating system after finding an earlier bug that causes customer information to be stored on Microsoft's Web site.
Through the latest bug, Smith said other sites can read customer ID numbers, including a unique number that identifies a specific user's PC through its Ethernet network card and a Microsoft-assigned identification number used to track movements on the company's Web site.
The Microsoft ID is a unique serial number that identifies the person who registered the copy of Windows 98 running on that PC, he said. Smith added that the bug affects Windows 98's RegWiz ActiveX control and becomes apparent only when both Windows 98 and Internet Explorer 4.0 are used.
The ID information can be intercepted by Web sites visited by those who use the flawed software. Smith has posted a demonstration of the flaw to his company's Web site.
When asked about the finding, a Microsoft representative was unaware of the claim but said the company would look into it. Rob Bennett, a Microsoft product manager, said via an email message that the company will fix the problem as part of previously announced updates if it "turns out to be a real issue."
As previously reported, Microsoft earlier this week acknowledged that Windows 98 collects information on users PCs through the Windows 98 registration process. The company acknowledged that documents created with Office 97 applications include information related to document authors. The company said it does not believe the two issues are related, and maintains that it does not collect the information in a database.
Earlier this week, the company said that the collection of identification data is unneccesary and that the practice will be halted. It also plans to issue software patches to prevent the insertion of ID numbers into Office documents.
However, the transmittal of data was thought to be limited to information stored only on Microsoft's Web site. The new flaw has the potential to be much more serious, Smith said, in that it introduces the possibility that other sites can collect data without users' knowledge.
"The more Web sites users visit, the more dangerous [the flaw] is," Smith said.
Microsoft earlier this week said the original flaw could be avoided by users who checked a box instructing Windows 98 to not transmit hardware information collected during the Windows 98 registration process.
Microsoft earlier this week, scrambled to post a letter to its Web site outlining steps it has taken to fix the initial privacy problem. The company said it is updating Microsoft.com immediately to stop receipt of hardware ID from product registration and modifying the Windows 98 Registration Wizard feature in a subsequent service release of the product to ensure that hardware identification data is never created, let alone sent, as part of the registration process.
It also said it will start providing a software tool for download that users can use to delete hardware registration information from the Windows registry; and purging hardware ID information that was gathered without the customer having chosen to provide Microsoft with this information.
John Duncan, a Microsoft Office product manager, told CNET News.com that a patch for Office, the company's popular desktop productivity suite, is expected to be posted on the company's Web site in "a matter of weeks."
The patch will prevent the insertion of a unique identifier into any new documents created with Office 97 applications.
Microsoft will also be providing a tool that will allow customers to remove unique identification numbers from existing Office 97 documents. In addition, users of Office 2000 will not need to worry about this issue, because, the company claims, the new version of Office will not include the ability to insert unique identifiers into documents.