|
||
|
||
The Windows Media Player is bundled with Microsoft's operating systems and is also available for the Macintosh OS X operating system. According to the company, it is the fastest growing and leading media player.
Jonathan Usher, group product manager for the Windows Digital Media Division at Microsoft, acknowledged the potential privacy issue in WMP but said Smith's discovery was "old news" and that the company addressed it last spring in an update to WMP.
That update enables WMP users to change the media player's default setting so that the user ID is randomly generated each session, according to Usher.
According to a May 2001 Microsoft security bulletin, the WMP privacy issue "could be exploited by a malicious set of Web sites to distinguish a user. While this issue would not by itself enable a Web site to identify the user, it could enable the correlation of user information to potentially build a composite description of the user."
Smith contended that most Windows users are unaware of Microsoft's solution to the privacy problem.
"Asking the average user to solve a privacy leak by manually changing settings seems a bit much to me, especially considering that there are many people who have never run Windows Media Player, yet they are still vulnerable to the problem," said Smith.
According to Smith, who has posted a demonstration at his Web site, the Media Player user-ID number can be accessed even if users are browsing the Internet with the latest version of Microsoft's Internet Explorer.
"Microsoft went through a lot of effort in IE 6 to put in various privacy controls, yet there's this back door that totally goes around all of it," he said.
Because it can be used by sites to bypass privacy protections built into browsers, Smith said the Media Player user ID is a kind of "Super Cookie." Cookies are bits of data sent to browsers by Web sites for customization and tracking.
Sites are able to capture a user's Media Player user ID because of a flaw in the ActiveX interface to the player that enables the ID to be retrieved using a command called "ClientID," Smith said.
On version 6.4 through the latest Media Player, version 7.01, users can mitigate the privacy risk through a setting on the player's Tools menu, according to Russ Cooper, "surgeon general" for TruSecure Corp., a security information and consulting firm.
Deselecting the option labeled "Allow Internet sites to uniquely identify your player" will cause the player to generate a random ID number each session, Cooper said.
Smith said the ID number appears to have been designed into the player years ago to enable Windows Media content providers to gather statistics on users' listening and viewing habits.
Smith said he originally warned Microsoft about the privacy implications of the player's user ID in March 2001. According to Cooper, Microsoft apparently took Smith's recommendations to heart in the latest version of WMP.
In the future, such a unique ID could be necessary as part of a Rights-management system for purchasing digital music and other content, according to Cooper.
"The convenience of buying digital media online may require some method of unique identification of you as a consumer. But I'd like to see Microsoft give (Windows Media Player) users more control over what sites are allowed to access the ID," he said.
In 1999, Smith discovered a user-monitoring system in the Real Player from RealNetworks, a popular competitor to Windows Media. Real subsequently provided users with the ability to disable the user ID in their players. Smith said he was not aware of a way that sites could capture the Real Player ID from the system registry.
Smith's demonstration page is at http://www.computerbytesman.com/privacy/supercookiedemo.htm .
Smith's description of the privacy issue is at http://www.securityfocus.com/archive/1/250363 .
Microsoft's bulletin is at http://www.microsoft.com/technet/security/bulletin/MS01-029.asp .
Reported by Newsbytes, http://www.newsbytes.com .
13:26 CST
Reposted 17:20 CST
(20020115 /WIRES TOP, ONLINE, LEGAL, BUSINESS/WINMP/PHOTO)