Bugtraq mailing list archives
Re: Microsoft Word documents that "phone" home
From: Terje Bless <link () TSS NO>
Date: Sat, 2 Sep 2000 01:23:13 +0200
Microsoft Security Response Center wrote:
- It pays scant attention to the fact that customers already have the tool to control cookies in their hands, namely, IE. Customers who have used the Security Zones setting in IE to restrict how cookies are handled are automatically protected against all cookies, regardless of whether the web session was initiated by web surfing or by a web-enabled application.
Just to be completely clear on this issue. These are the same customers you are refering to whome Microsoft thought would need MS Bob and the Talking Paperclip? One thing is to give them enough rope to hang themselves, but a boobietrapped thermonuclear weapon running on a rand(time) countdown? Is that really wise? I don't see that the cookie issue really relevant. What should be adressed is what kind of defaults, warnings, and disclosure, is practiced. Whether it's cookies, active content, or a big red button labelled "Press Me", I want the safety catch to be on by default and I want a warning before it goes boom! It might be worth noting that Claymore mines are marked "this side towards enemy" on the side that should be, uhm, towards the enemy.
- It spins dire scenarios of people being "tracked", without acknowledging just how difficult it would be to actually correlate information like an IP address to a person's identity.
It is? Really? I'd warn off Doubleclick.net before they "waste" any more money then. Tracking people through cookies and other kinds of web bugs isn't really hard from a techincal POV. It gets a little muddier in a practical perspective, but here it boils down to "how bad do you want it". We know many organizations that want it really really bad... MS being one of them, BTW! This shouldn't be blown all out of proportion, but it shouldn't be downplayed either. Permissive defaults are a problem, and unless attention to privacy is a primary concern, these things will keep popping up.
- It suggests that this is a purely Microsoft issue, when in fact it applies to all web-enabled applications. There are thousands of them, and they run on all operating systems.
You are a victim of your own success. MS Office products have a market penetration that makes every little niggling glitch a mjor issue; not to mention a target for anyone looking for those glitches (regardless of whether the intent is benign or maliscious). Your own marketing material, BTW, suggests that "web enabled" spreadsheets are a "purely Microsoft issue"; though, of course, the marketing material uses phrases like "feature" and "innovation". :-) While it would be inaccurate to paint this as a purely Microsft problem in the /general/ case, it's beyond question that it's a Microsoft issue in the /specific/ case, and I don't feel you've adressed _that_ just yet.
Current thread:
- Re: Microsoft Word documents that "phone" home Charles Sprickman (Sep 01)
- Message not available
- Re: Microsoft Word documents that "phone" home Peter Ilieve (Sep 02)
- Message not available
- <Possible follow-ups>
- Re: Microsoft Word documents that "phone" home Don Halterman (Sep 01)
- Re: Microsoft Word documents that "phone" home Hal DeVore (Sep 02)
- Re: Microsoft Word documents that "phone" home Rob Slade, doting grandpa of Ryan and Trevor (Sep 01)
- Re: Microsoft Word documents that "phone" home Rex Sanders (Sep 01)
- Re: Microsoft Word documents that "phone" home Kris Kennaway (Sep 01)
- Re: Microsoft Word documents that "phone" home Michael Wojcik (Sep 01)
- Re: Microsoft Word documents that "phone" home Microsoft Security Response Center (Sep 01)
- Re: Microsoft Word documents that "phone" home Terje Bless (Sep 02)
- Re: Microsoft Word documents that "phone" home Brad (Sep 02)
- Other file formats that can "phone" home Richard M. Smith (Sep 03)
- Re: Other file formats that can "phone" home jsl2 (Sep 04)
- Re: Other file formats that can "phone" home Richard M. Smith (Sep 04)
- Sun StarOffice documents that "phone home" and other interesting problems Kurt Seifried (Sep 04)
- Re: Sun StarOffice documents that "phone home" and other interesting problems Luca Berra (Sep 05)
- Leftover data in other files (was Re: Sun StarOffice documents that "phone home".....) jsl2 (Sep 05)
- Re: Leftover data in other files (was Re: Sun StarOffice documents that "phone home".....) Ryan Russell (Sep 05)