Microsoft’s Bill Gates recently sent an e-mail message to Microsoft employees announcing a major new effort to clean up the company's software by making security, uptime, and privacy top priorities. And two of Microsoft’s most recently released software products—Windows XP and Internet Explorer 6—are already being touted as much more secure than earlier versions.
Although this is further proof that Microsoft is finally paying attention to security as an important issue for the masses, we have already seen critical flaws in XP’s Universal Plug and Play subsystem. There are also some doubts about whether IE6, which is built into XP, has really improved security in any meaningful way. Thus, I decided to delve into the security features of IE6, and now I’m going to share what I discovered.
First, let’s look at what IE6 doesn’t have. The new browser doesn’t add any new encryption tools, doesn’t appear to alter any file formats, and is highly compatible with IE5 utilities.
What IE6 does have are new features that make it difficult to avoid Microsoft Web sites and a new security configuration utility that alters the way the browser deals with cookies. Since cookies are considered by many to be a major security threat, at first this change seems to be a major improvement. But once you get past the outward appearance, things become a bit less reassuring.
By placing cookie handling under the “privacy” heading in IE6, Microsoft has now changed the focus on cookies from essential Web tools to security threats, and that is a good thing. Any browser claiming to be secure must offer users extensive control over the way cookies are handled.
Under IE5, users could group Web sites into trusted, restricted, and Internet (unknown status), applying blanket acceptance or refusal of cookies within these zones. They could also create customized security settings.
IE6 has the same basic options, but the security level you select applies only to the Internet Security Zone. Outside the Internet Security Zone and Restricted Zones, cookies are always accepted. In the Restricted Zones, cookies are never accepted. This actually appears to provide fewer options when it comes to dealing with cookies, which could mean reduced overall security. Determining just exactly how IE6 handles all cookies will take some time, but the entire configuration process is quite different from that in IE5.
P3P and cookies
P3P is an Internet protocol that is designed to let users select general privacy settings that will then be enforced by software. Implementing this is a highly complex task that Internet committees have been working on for years. Microsoft has taken this experimental, untried protocol and implemented the first proposed standard in IE6. In other words, Microsoft has forced everyone who uses IE6 into being a beta tester for a new Internet privacy protocol.
Microsoft has also decided to skip the opening paragraph of W3C’s description of how P3P is supposed to work. The proposed P3P protocol calls for the use of “a standardized set of multiple-choice questions, covering all the major aspects of a Web site's privacy policies” to be used in determining cookie security settings in a browser.
Microsoft implements P3P using a sliding scale in which a user can select from four cookie settings between Accept All and Reject All. There are six settings. Only the two extremes correspond to settings in IE5. The problem comes in trying to decide just what all those in-between settings actually mean beyond the brief explanations given on the menu. There is still an Advanced security option, which avoids P3P, but you must apply the rules to a single security zone that new Web sites also fall into.
Enough general background—now for the latest real-world problem, as reported in NTBugtrack. Most IE6 users will rely on P3P because it’s the default. If everything goes perfectly, P3P will provide relatively decent security but only if P3P can rely on the P3P tags found on a Web site and enforce the user’s rules.
Unfortunately, Windows Media Player (WMP) makes it possible for malicious Web sites to grab your browser’s unique WMP ID using simple Java code. This ID can then be used to track sites a user visits on the Internet and it can also be used as a SuperCookie to bypass all the new P3P protections built into IE6. SuperCookies work in other versions of IE, but a reliance on P3P may make this vulnerability more critical.
SuperCookies act much like ad-tracking IDs and bypass cookie blocker utilities. Even deleted cookies can be reconstructed by a Web site using this unique ID.
By default, WMP allows Web sites to assign a unique ID to your machine. However, turning this option off doesn’t seem to alter the way the vulnerability operates. Disabling Java and/or removing the WMP entirely are the only ways to kill the SuperCookies completely. Richard Smith, who coined the term “SuperCookies” and wrote the NTBugtrack report on them, said he informed Microsoft of the problem in March 2001.
In a way, Microsoft addressed the SuperCookie problem last year, but the fix is obscure. It’s unlikely that the average user will learn about it, let alone make the changes specified in Microsoft Bulletin MS01-029.
According to Smith, “The actual WMP player ID number is stored in the Windows registry in these keys.”
Using Regedit to insert a new code would change this ID, but unless you changed it every time you went on the Web, I don’t see how this would help.
Although this is technically a WMP vulnerability, it is implemented only through browsers, so that makes it a browser problem as well. Even worse, it makes this a browser security/privacy problem, which can be corrected only by going to another program entirely.
If you want to know the SuperCookie ID for your computer, just go to this demo site. You can see Newsbytes’ take on this here and you can also read the CNET News report "Privacy flaw continues to dig IE hole."
Lost in all this is just what P3P is supposed to do and whether Microsoft has tried to put more responsibility on P3P than it was ever intended to shoulder. The new protocol doesn’t make any attempt to decide which cookies are actually safe (however you define that term). P3P just makes it easier to apply the security standards that users choose and match them with what Webmasters say about their own Web sites.
P3P’s XML code decides which cookies to allow based on the user-defined security parameters and—here’s the critical part—matches this against the P3P tags that Web sites have added to define their policies.
What, your site doesn’t have P3P tags? Don’t be too concerned about that. Most Web sites don’t implement this new protocol yet. After all, it’s still just a work in progress.
I don’t want to come down too hard on security flaws in IE6. For most users, it’s about as secure as IE5. But I don’t really see any improved security features as implemented in the first release of IE6. In fact, SuperCookies can compromise any browser if the computer has WMP installed, even if you don’t use WMP, and IE6’s implementation of P3P could make this easier for hackers to manipulate.
So what’s the big deal? If you don’t want to rely on P3P and prefer to use IE 5.5 under XP, you can just use the Uninstall feature to remove IE6, then install IE 5.5. Simple, right? Unfortunately, if you are running XP, the Uninstall tool removes only the user interface for IE6. The actual code has to remain because some XP features depend on IE6. Using the Uninstall option actually does little more than remove your ability to customize IE6’s security options. In other words, you would no longer be able to manually overcome the P3P weaknesses. Needless to say, that’s not a good idea if you’re running XP, but you may want to consider it if you’re running another version of Windows.
What do you think about IE6 security?
We look forward to getting your input and hearing about your experiences regarding this topic. Post a comment or a question about this article.