mailing list archives
Re: Microsoft Word documents that "phone" home
From: Microsoft Security Response Center <secure () MICROSOFT COM>
Date: Fri, 1 Sep 2000 07:27:11 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hi Kris -
Thanks for your note. I think we may be in violent *agreement*
We think it's a great idea to talk about this issue, and we do want
to make sure that our customers understand the pros and cons of
web-enabled applications. Specifically, we are glad to participate
in a dialogue about cookies, the risk they pose, and how to control
them. Our objection to the report lies principally in its tone.
- It suggests that this is a purely Microsoft issue, when in fact it
applies to all web-enabled applications. There are thousands of
them, and they run on all operating systems.
- It spins dire scenarios of people being "tracked", without
acknowledging just how difficult it would be to actually correlate
information like an IP address to a person's identity.
- It pays scant attention to the fact that customers already have
the tool to control cookies in their hands, namely, IE. Customers
who have used the Security Zones setting in IE to restrict how
cookies are handled are automatically protected against all cookies,
regardless of whether the web session was initiated by web surfing or
by a web-enabled application.
We do want our customers to be aware of this issue and to know what
steps they can take. But we think it would have been much more
productive to have had a less-hyperbolic discussion about the issue
and what customers can do about it. Hope that helps explain where we
were coming from with our posting. Regards,
- -----Original Message-----
From: Kris Kennaway [mailto:kris () FreeBSD org]
Sent: Thursday, August 31, 2000 8:38 PM
To: Microsoft Security Response Center
Cc: BUGTRAQ () SECURITYFOCUS COM
Subject: Re: Microsoft Word documents that "phone" home
On Wed, 30 Aug 2000, Microsoft Security Response Center wrote:
Microsoft has posted a response to this advisory,
entitled "Cookies and Word Documents", available at
Yeah, but claiming that "Any web-enabled application can, by
contact a web site" seems to miss the risk here. Word processing
and the like have traditionally not been "internet-aware", so this
behaviour would come as a surprise to most people, even those who
understand the privacy risks associated with cookies in a browser
In other words, most people probably don't think of their spreadsheet
word processor as being "web-enabled".
I'm sure this kind of internet-integrated document behaviour is going
become more widespread over time (like it or not), but any new
causes an unavoidable lag time before people catch up to thinking
things along the new lines. IMO it's not good security practise to
introduce new vulnerabilities which will be tripped over by
people who are still looking at things in the old, familiar context.
Parenthetically, the majority of internet users probably have cookies
enabled and always will, which means that they are vulnerable to
tracking in this form.
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe () alum mit edu>
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
-----END PGP SIGNATURE-----
Re: Microsoft Word documents that "phone" home James Hoagland (Sep 01)