Re: Microsoft Word documents that "phone" home

[Microsoft Security Response Center <secure () MICROSOFT COM>]

-----BEGIN PGP SIGNED MESSAGE-----

Hi Kris -

Thanks for your note.  I think we may be in violent *agreement*
here.<g>

We think it's a great idea to talk about this issue, and we do want
to make sure that our customers understand the pros and cons of
web-enabled applications.  Specifically, we are glad to participate
in a dialogue about cookies, the risk they pose, and how to control
them.  Our objection to the report lies principally in its tone.
 - It suggests that this is a purely Microsoft issue, when in fact it
applies to all web-enabled applications.  There are thousands of
them, and they run on all operating systems.
 - It spins dire scenarios of people being "tracked", without
acknowledging just how difficult it would be to actually correlate
information like an IP address to a person's identity.
 - It pays scant attention to the fact that customers already have
the tool to control cookies in their hands, namely, IE.  Customers
who have used the Security Zones setting in IE to restrict how
cookies are handled are automatically protected against all cookies,
regardless of whether the web session was initiated by web surfing or
by a web-enabled application.

We do want our customers to be aware of this issue and to know what
steps they can take.  But we think it would have been much more
productive to have had a less-hyperbolic discussion about the issue
and what customers can do about it.  Hope that helps explain where we
were coming from with our posting.  Regards,

Scott

- -----Original Message-----
From: Kris Kennaway [mailto:kris () FreeBSD org]
Sent: Thursday, August 31, 2000 8:38 PM
To: Microsoft Security Response Center
Cc: BUGTRAQ () SECURITYFOCUS COM
Subject: Re: Microsoft Word documents that "phone" home


On Wed, 30 Aug 2000, Microsoft Security Response Center wrote:

> Microsoft has posted a response to this advisory,
> entitled "Cookies and Word Documents", available at
> http://www.microsoft.com/technet/security/cookie.asp

Yeah, but claiming that "Any web-enabled application can, by
definition,
contact a web site" seems to miss the risk here. Word processing
documents
and the like have traditionally not been "internet-aware", so this
kind of
behaviour would come as a surprise to most people, even those who
understand the privacy risks associated with cookies in a browser
context.
In other words, most people probably don't think of their spreadsheet
or
word processor as being "web-enabled".

I'm sure this kind of internet-integrated document behaviour is going
to
become more widespread over time (like it or not), but any new
paradigm
causes an unavoidable lag time before people catch up to thinking
about
things along the new lines. IMO it's not good security practise to
introduce new vulnerabilities which will be tripped over by
unsuspecting
people who are still looking at things in the old, familiar context.

Parenthetically, the majority of internet users probably have cookies
enabled and always will, which means that they are vulnerable to
document
tracking in this form.

Kris

- --
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe () alum mit edu>


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBOa+8vo0ZSRQxA/UrAQEHfQgAhPKKKjsodI7lQ61FNLJiIn6GsWoyCg81
5C9WWEeqL8ouoxZI0Me2EBHanXVLma30fNVfyNv+dj6EZKT1bvvG6lZX3WZjN2oe
j0E8HX7mi2p2iX/5J7up1ArlHgfJMnIHtFAEX7eozyHflKmRJr4DNRr7GUx3/XzI
smqh/qGB7X+11eWyLXtJuVA/dAYti2ae3Px8XUr/UzuZ4SzemrYBxMIIVS7vRbAq
XBr5/wnA8UNzjJSuLvsCdhaAtH9tfOEL7+UJK1H010DtQpWDKWp49q1ERSJ9tcQ5
m7Pe7K3EMjo86ph8HKXcXJo14X19VwXe7vD4Cb1asv6wes2dZC2KWQ==
=LokC
-----END PGP SIGNATURE-----