Bugtraq mailing list archives
Other file formats that can "phone" home
From: "Richard M. Smith" <rms () PRIVACYFOUNDATION ORG>
Date: Sat, 2 Sep 2000 16:03:57 -0400
Hello,
Microsoft Security Response Center wrote: - It suggests that this is a purely Microsoft issue, when in fact it applies to all web-enabled applications. There are thousands of them, and they run on all operating systems.
Actually in the advisory we make the point that this is not just a Microsoft Word issue: "The use of Web bugs in Word does point to a more general problem. Any file format that supports automatic linking to Web pages or images could lead to the same problem. Software engineers should take this privacy issue into consideration when designing new file formats. This issue is potentially critical for music file formats such as MP3 files where piracy concerns are high. For example, it is easy to imagine an extended MP3 file format that supports embedded HTML for showing song credits, cover artwork, lyrics, and so on. The embedded HTML with embedded Web bugs could also be used to track how many times a song is played and by which computer, identified by its IP address." However, clearly not every web-enabled application has this problem. The key issue is not if the application is web-enabled but if a *file format* supported by an application is web-enabled. Yes, there are easily thousands of Web-enabled applications but is unlikely that most of them have file formats that can be bugged. The Privacy Foundation is very interested in hearing about other applications that support file formats that can be "buggesd". Please drop me a line if you know of one. Even better send a sample file. To get the ball rolling, folks who are using Office suite products from other vendors can test out our demo documents and report back the results. The URLs for the demo documents are: http://www.privacycenter.du.edu/demos/bugged.doc http://www.privacycenter.du.edu/demos/bugged.xls http://www.privacycenter.du.edu/demos/bugged.ppt For a file format to be "buggable" it needs to support embedded HTML content or links to Web images that are automatically activated when a file is opened. Richard ================================================ Richard M. Smith Chief Technology Officer Privacy Foundation Email: rms () privacyfoundation org http://www.privacyfoundation.org ================================================
Current thread:
- Re: Microsoft Word documents that "phone" home, (continued)
- Message not available
- Re: Microsoft Word documents that "phone" home Peter Ilieve (Sep 02)
- Message not available
- Re: Microsoft Word documents that "phone" home Don Halterman (Sep 01)
- Re: Microsoft Word documents that "phone" home Hal DeVore (Sep 02)
- Re: Microsoft Word documents that "phone" home Rob Slade, doting grandpa of Ryan and Trevor (Sep 01)
- Re: Microsoft Word documents that "phone" home Rex Sanders (Sep 01)
- Re: Microsoft Word documents that "phone" home Kris Kennaway (Sep 01)
- Re: Microsoft Word documents that "phone" home Michael Wojcik (Sep 01)
- Re: Microsoft Word documents that "phone" home Microsoft Security Response Center (Sep 01)
- Re: Microsoft Word documents that "phone" home Terje Bless (Sep 02)
- Re: Microsoft Word documents that "phone" home Brad (Sep 02)
- Other file formats that can "phone" home Richard M. Smith (Sep 03)
- Re: Other file formats that can "phone" home jsl2 (Sep 04)
- Re: Other file formats that can "phone" home Richard M. Smith (Sep 04)
- Sun StarOffice documents that "phone home" and other interesting problems Kurt Seifried (Sep 04)
- Re: Sun StarOffice documents that "phone home" and other interesting problems Luca Berra (Sep 05)
- Leftover data in other files (was Re: Sun StarOffice documents that "phone home".....) jsl2 (Sep 05)
- Re: Leftover data in other files (was Re: Sun StarOffice documents that "phone home".....) Ryan Russell (Sep 05)