Privacy flaw continues to dig IE hole

New privacy-enhancing controls in Microsoft's Internet Explorer 6.0 can be rendered useless by a long-known security flaw in Windows Media Player, a security expert says.

Stefanie Olsen Staff writer, CNET News
Stefanie Olsen covers technology and science.
Stefanie Olsen
3 min read
New privacy-enhancing controls in Microsoft's Internet Explorer 6.0 can be rendered useless by a long-known security flaw in Windows Media Player, a noted security expert said Tuesday.

The software giant has heavily promoted the privacy features of its new browser, which includes support for recently approved standards known as P3P (Platform for Privacy Preferences). Among other things, the standards aim to give Web surfers more control over electronic markers known as cookies, which can be used to peek into people's online activities.

This week, computer privacy and security consultant Richard Smith warned that a unique ID created under default settings for the Windows Media Player provides a simple override for those measures. The flaw allows a malicious Web site to create what he described as a "supercookie" capable of tracking people using any version of Internet Explorer and Netscape Navigator, regardless of the privacy settings they choose.

"Using simple JavaScript code on a Web page, a Web site can grab the unique ID number of the Windows Media Player belonging to a Web site visitor," Smith said. "This ID number can then be used just like a cookie by Web sites to track a user's travels around the Web."

Although Microsoft has provided a fix to the flaw, Smith said the solution does not go far enough.

"There are many people who have never run Windows Media Player, yet they are still vulnerable to the problem," he said.

Confusing solution?
Smith, who said he first discovered the flaw and notified Microsoft last March, reported the hole in a posting on the Bugtraq security mailing list.

A Microsoft representative said the company issued a patch for the problem in May, allowing people to change Windows Media Player's default settings. The fix also solves a recently identified vulnerability that allows a malicious set of Web sites to profile a person through the media player, according to Microsoft.

In Windows Media Player versions 6.4 and 7.1, people can turn off the option "Allow Internet Sites to uniquely identify your player" in their settings to stop potential tracking by creating a different number for each IE session. In addition, they can uninstall Windows Media Player or turn off JavaScript.

"Although we typically do not discuss privacy issues in security bulletins, the privacy issue in this case is eliminated by applying the patch and then selecting the new user settings," a Microsoft representative wrote via e-mail.

Smith, however, said many people may not make the connection that they need to tweak Windows Media Player, a free product that is distributed with most copies of the Windows operating system, to fix a privacy leak in IE.

The privacy alert comes as Microsoft has been touting the privacy-enhancing features of its latest browser. P3P allows consumers to set their browser preferences to reject Web sites with inadequate privacy policies. But as Microsoft promotes new security and privacy initiatives, it has repeatedly faced disclosures of new vulnerabilities.

In the past several months, for example, more than half a dozen security problems have been found with the latest version of Internet Explorer. Most recently, a security researcher revealed a bug in IE 6 that could let an attacker send an HTML e-mail, which in turn could steal cookies, allow access to files, or direct the victim to a false Web site.

Last month, Microsoft urged people to apply a patch for a severe security hole found in Windows XP, which the software titan had boasted was its "most secure operating system yet."

All of the flaws drive a truck through Microsoft's efforts to promote privacy.

"The real issue is, here you have Microsoft spending time and money on promoting how wonderful P3P is, and there is a simple workaround," Smith said. "If Web sites get annoyed by too many people turning off cookies or using P3P, they can use supercookies instead, bypassing decisions users have made. It potentially becomes a game of spy vs. spy."