Update on the SuperCookie issue

• Previous message: Strumpf Noir Society: "BlackMoon FTPd Buffer Overflow Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Here's an update on the SuperCookie issue that I reported earlier today:

  1.  My mistake for now catching this one earlier.  As some people
pointed
      out, turning off the "Allow Internet Sites to uniquely identify
      your player" in WMP gets rid of the SuperCookie problem.  With
this option
      turned off, the WMP ActiveX control will return different player
      ID numbers for each IE session.  This work-around appears to be
available
      in the versions of WMP that ship with IE6 and Windows XP.  Note
that
      SuperCookies are turned on by default in IE/WMP.

      However, asking the average user to solve an Internet Explorer
privacy 
      leak by manually changing settings in a different program seems 
      a bit much to me.  Especially considering that there are many
people
      who have never run Windows Media Player, yet they are still
vulnerable
      to the problem.

   2. SuperCookies are also available in Netscape Navigator using the
      WMP plugin.

   3. The actual WMP player ID number is stored in the Windows registry
      in these keys:

      HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General
      string value "UniqueID"

      or 

      HKEY_USERS\<user>\Software\Microsoft\Windows Media\WMSDK\General
      string value "UniqueID"

      If one of these keys is manually changed using REGEDIT, the demo
page will
      show the new ID number.

Richard M. Smith
http://www.computerbytesman.com

• Next message: secureat_private: "[CLA-2002:451] Conectiva Linux Security Announcement - sudo"
• Previous message: Strumpf Noir Society: "BlackMoon FTPd Buffer Overflow Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 15 2002 - 20:05:25 PST