SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Windows Media Player Vendors:   Microsoft
Microsoft Windows Media Player Discloses Unique ID to Remote Users in the Default Configuration, Allowing Web Sites to Track Users
SecurityTracker Alert ID:  1003228
SecurityTracker URL:  http://securitytracker.com/id/1003228
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Jan 15 2002
Original Entry Date:  Jan 15 2002
Impact:   Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   An information disclosure vulnerability was reported in Microsoft's Windows Media Player. A remote user can write javascript that will, when executed on another user's computer, retrieve the other user's Windows Media Player globally unique identifier (GUID).

It is reported that Windows Media Player contains a default configuration flaw that allows javascript to access the Media Player's GUID. This identifier can be communicated back to a web site or stored and used as a "super cookie" to track the user's browsing activities. This issue apparently affects Windows Media Player and not Internet Explorer, so the privacy and P3P protections of Internet Explorer 6 (IE6) do not provide protection.

A demonstration exploit page is available at:

http://www.computerbytesman.com/privacy/supercookiedemo.htm

This exploit works with Internet Explorer and Netscape browsers and may work with additional browsers.

The following type of HTML and javascript code can apparently be used to retrieve the GUID identifier:

<OBJECT classid="clsid:22D6F312-B0F6-11D0-94AB-0080C74C7E95"
ID=WMP WIDTH=1 HEIGHT=1></OBJECT>

<script>
alert(document.WMP.ClientID);
</script>

Impact:   A remote user can obtain the GUID of another user's Windows Media Player.
Solution:   Newer versions of Windows Media Player provide the user with an option to not provide the GUID to other web sites. This option is accessible via the media player and not Internet Explorer.

For users of version 6.4, a patch is available that will provide this option (note that the default is still to allow the GUID to be disclosed):

http://www.microsoft.com/technet/security/bulletin/MS01-029.asp

Windows Media Player 7.0 users should upgrade to 7.1 to obtain this feature.

Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Internet Explorer SuperCookies bypass P3P and cookie controls


Introduction
------------

There is a significant privacy problem with Internet Explorer
because of a design flaw in the Windows Media Player (WMP).  Using
simple Javascript code on a Web page, a Web site can grab the
unique ID number of the Windows Media Player belonging
to a Web site visitor.  This ID number can then be used just
like a cookie by Web sites to track a user's travels around
the Web.

However this ID number becomes a SuperCookie because it can be used
by Web sites to bypass all of the new privacy and P3P protections
that Microsoft has added to Internet Explorer 6 (IE6).  IE6 ships
today with all Windows XP  systems.  SuperCookies also work in all
previous versions of Internet Explorer with all older versions of
Windows.

Some of the other features of SuperCookies include:

   - There appears to be no method of blocking
     SuperCookies from a Web site except to uninstall
     Windows Media Player or to turn off JavaScript.

   - All Web sites get the same ID number so they
     can easily exchange information about a user
     much like third-party cookies are used today
     by ad networks and Internet marketing companies.

   - Even if someone is using a cookie blocker add-in,
     SuperCookies will still work.

   - If a user has deleted cookies from his or her computer
     to stop tracking, a Web site can restore an
     old cookie value from this ID number.  Once the
     cookie value has been restored, new tracking data
     can be combined with tracking data that was
     previously collected by the Web site.


Demo Page
---------

I've set up a simple demo page that shows the
issue:

   http://www.computerbytesman.com/privacy/supercookiedemo.htm

This demo stills works even if the WMP option "Allow
Internet sites to uniquely identify your player" is
turned off.  This option controls when the WMP ID number
is given out to Web sites when downloading streaming audio
or video files, but does not appear to stop JavaScript
programs from getting this number.


Technical Details
-----------------

When the Windows Media Player is installed on a computer, a
unique ID number in the form of a GUID is assigned to the player.
This ID number is stored in the Windows registry.  The ActiveX
interface to the Windows Media Player allows any JavaScript
Program to retrieve the ID number using the property "ClientID".

The following example HTML and JavaScript code illustrates how
easy it is to retrieve the ID number:

<OBJECT classid="clsid:22D6F312-B0F6-11D0-94AB-0080C74C7E95"
ID=WMP WIDTH=1 HEIGHT=1></OBJECT>

<script>
alert(document.WMP.ClientID);
</script>

Once the ID number is available to a JavaScript program, it can
be sent back to a Web site either by appending it to the URL
of a Web bug or storing it in regular Web browser cookie.


Recommendations for Microsoft
-----------------------------

I originally notified Microsoft of this problem in
March 2001.

One solution to this problem is for Microsoft to remove
the ClientID property from the WMP ActiveX control.  For
compatibility with existing JavaScript code, Microsoft may have
to keep the property around, but always have it return a
GUID of all zeros for all users.

An even better idea might be to remove the WMP player
ID number altogether and have WMP instead use the standard
cookie mechanism of Internet Explorer.

Richard M. Smith
http://www.computerbytesman.com

============================================================================
Delivery co-sponsored by VeriSign - The Internet Trust Company
============================================================================
FREE E-COMMERCE SECURITY INFRASTRUCTURE GUIDE
When building an e-commerce site, you want to start with a strong, secure
foundation. Learn how with VeriSign's FREE White Paper, "Building an
E-Commerce Trust Infrastructure." See how you can authenticate your site to
customers, use 128-Bit SSL encryption to secure your web servers, and accept
secure payments online. Click here:
http://www.verisign.com/cgi-bin/go.cgi?a=n116965650045000
============================================================================

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC