Bugtraq mailing list archives
Re: Microsoft Word documents that "phone" home
From: Microsoft Security Response Center <secure () MICROSOFT COM>
Date: Fri, 1 Sep 2000 07:27:11 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hi Kris - Thanks for your note. I think we may be in violent *agreement* here.<g> We think it's a great idea to talk about this issue, and we do want to make sure that our customers understand the pros and cons of web-enabled applications. Specifically, we are glad to participate in a dialogue about cookies, the risk they pose, and how to control them. Our objection to the report lies principally in its tone. - It suggests that this is a purely Microsoft issue, when in fact it applies to all web-enabled applications. There are thousands of them, and they run on all operating systems. - It spins dire scenarios of people being "tracked", without acknowledging just how difficult it would be to actually correlate information like an IP address to a person's identity. - It pays scant attention to the fact that customers already have the tool to control cookies in their hands, namely, IE. Customers who have used the Security Zones setting in IE to restrict how cookies are handled are automatically protected against all cookies, regardless of whether the web session was initiated by web surfing or by a web-enabled application. We do want our customers to be aware of this issue and to know what steps they can take. But we think it would have been much more productive to have had a less-hyperbolic discussion about the issue and what customers can do about it. Hope that helps explain where we were coming from with our posting. Regards, Scott - -----Original Message----- From: Kris Kennaway [mailto:kris () FreeBSD org] Sent: Thursday, August 31, 2000 8:38 PM To: Microsoft Security Response Center Cc: BUGTRAQ () SECURITYFOCUS COM Subject: Re: Microsoft Word documents that "phone" home On Wed, 30 Aug 2000, Microsoft Security Response Center wrote:
Microsoft has posted a response to this advisory, entitled "Cookies and Word Documents", available at http://www.microsoft.com/technet/security/cookie.asp
Yeah, but claiming that "Any web-enabled application can, by definition, contact a web site" seems to miss the risk here. Word processing documents and the like have traditionally not been "internet-aware", so this kind of behaviour would come as a surprise to most people, even those who understand the privacy risks associated with cookies in a browser context. In other words, most people probably don't think of their spreadsheet or word processor as being "web-enabled". I'm sure this kind of internet-integrated document behaviour is going to become more widespread over time (like it or not), but any new paradigm causes an unavoidable lag time before people catch up to thinking about things along the new lines. IMO it's not good security practise to introduce new vulnerabilities which will be tripped over by unsuspecting people who are still looking at things in the old, familiar context. Parenthetically, the majority of internet users probably have cookies enabled and always will, which means that they are vulnerable to document tracking in this form. Kris - -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <forsythe () alum mit edu> -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOa+8vo0ZSRQxA/UrAQEHfQgAhPKKKjsodI7lQ61FNLJiIn6GsWoyCg81 5C9WWEeqL8ouoxZI0Me2EBHanXVLma30fNVfyNv+dj6EZKT1bvvG6lZX3WZjN2oe j0E8HX7mi2p2iX/5J7up1ArlHgfJMnIHtFAEX7eozyHflKmRJr4DNRr7GUx3/XzI smqh/qGB7X+11eWyLXtJuVA/dAYti2ae3Px8XUr/UzuZ4SzemrYBxMIIVS7vRbAq XBr5/wnA8UNzjJSuLvsCdhaAtH9tfOEL7+UJK1H010DtQpWDKWp49q1ERSJ9tcQ5 m7Pe7K3EMjo86ph8HKXcXJo14X19VwXe7vD4Cb1asv6wes2dZC2KWQ== =LokC -----END PGP SIGNATURE-----
Current thread:
- Re: Microsoft Word documents that "phone" home Charles Sprickman (Sep 01)
- Message not available
- Re: Microsoft Word documents that "phone" home Peter Ilieve (Sep 02)
- Message not available
- <Possible follow-ups>
- Re: Microsoft Word documents that "phone" home Don Halterman (Sep 01)
- Re: Microsoft Word documents that "phone" home Hal DeVore (Sep 02)
- Re: Microsoft Word documents that "phone" home Rob Slade, doting grandpa of Ryan and Trevor (Sep 01)
- Re: Microsoft Word documents that "phone" home Rex Sanders (Sep 01)
- Re: Microsoft Word documents that "phone" home Kris Kennaway (Sep 01)
- Re: Microsoft Word documents that "phone" home Michael Wojcik (Sep 01)
- Re: Microsoft Word documents that "phone" home Microsoft Security Response Center (Sep 01)
- Re: Microsoft Word documents that "phone" home Terje Bless (Sep 02)
- Re: Microsoft Word documents that "phone" home Brad (Sep 02)
- Other file formats that can "phone" home Richard M. Smith (Sep 03)
- Re: Other file formats that can "phone" home jsl2 (Sep 04)
- Re: Other file formats that can "phone" home Richard M. Smith (Sep 04)
- Sun StarOffice documents that "phone home" and other interesting problems Kurt Seifried (Sep 04)
- Re: Sun StarOffice documents that "phone home" and other interesting problems Luca Berra (Sep 05)
- Leftover data in other files (was Re: Sun StarOffice documents that "phone home".....) jsl2 (Sep 05)
- Re: Leftover data in other files (was Re: Sun StarOffice documents that "phone home".....) Ryan Russell (Sep 05)