Home page logo
/

bugtraq logo Bugtraq mailing list archives

Other file formats that can "phone" home
From: "Richard M. Smith" <rms () PRIVACYFOUNDATION ORG>
Date: Sat, 2 Sep 2000 16:03:57 -0400

Hello,

Microsoft Security Response Center wrote:

 - It suggests that this is a purely Microsoft issue, when in fact it
applies to all web-enabled applications.  There are thousands of
them, and they run on all operating systems.

Actually in the advisory we make the point that
this is not just a Microsoft Word issue:

   "The use of Web bugs in Word does point to a
   more general problem. Any file format that
   supports automatic linking to Web pages or
   images could lead to the same problem. Software
   engineers should take this privacy issue into
   consideration when designing new file formats.

   This issue is potentially critical for music file
   formats such as MP3 files where piracy concerns are
   high. For example, it is easy to imagine an extended
   MP3 file format that supports embedded HTML for
   showing song credits, cover artwork, lyrics, and
   so on. The embedded HTML with embedded Web bugs
   could also be used to track how many times a song
   is played and by which computer, identified by its
   IP address."

However, clearly not every web-enabled application has this problem.
The key issue is not if the application is web-enabled but
if a *file format* supported by an application is web-enabled.
Yes, there are easily thousands of Web-enabled applications
but is unlikely that most of them have file formats that can
be bugged.

The Privacy Foundation is very interested in hearing about
other applications that support file formats that can
be "buggesd".  Please drop me a line if you know of one.
Even better send a sample file.  To get the ball rolling,
folks who are using Office suite products from other vendors
can test out our demo documents and report back the results.
The URLs for the demo documents are:

   http://www.privacycenter.du.edu/demos/bugged.doc
   http://www.privacycenter.du.edu/demos/bugged.xls
   http://www.privacycenter.du.edu/demos/bugged.ppt

For a file format to be "buggable" it needs to support
embedded HTML content or links to Web images that
are automatically activated when a file is opened.

Richard

================================================
Richard M. Smith
Chief Technology Officer
Privacy Foundation

Email: rms () privacyfoundation org
http://www.privacyfoundation.org
================================================


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]