ExtremeTech Security Update Your First Line of Defense by Brett Glass Thursday, January 24th www.extremetech.com Windows "SuperCookies" betray your identity Richard M. Smith, founder of Phar Lap Software and computer security maven, has discovered a Windows bug that allows any Web site to identify and track you... even if you're using software that disables "cookies" and other tracking mechanisms. Because the bug involves Windows Media Player, it does not matter which browser you're using. If your machine is capable of using an ActiveX control and/or running a script, and has Windows Media Player installed, you can be tracked via the unique ID number that the player assigns to every system. Remove this ID, or set the player so that it does not stay the same from session to session, and the player's digital rights management (DRM) "features" may prevent you from playing some content that's meant to be copy-protected. Your machine's "SuperCookie"--its media player ID--can be used by itself or to create any number of ordinary cookies via which you might be tracked. Blocking "SuperCookies" requires changing an obscure option in Windows Media Player which is barely documented, and which (on all versions of Windows prior to XP) only becomes available if one installs a patch that's intended to fix a different security flaw. Microsoft has been aware of this issue since early 2001 (when it was notified of the flaw by Smith) and mentioned the problem in passing in a security bulletin (last link below). However, in the bulletin, Microsoft demonstrated its lack of concern for users' privacy by saying that it did not consider violations of privacy to be security issues and does not normally report them in security bulletins. It has further demonstrated its disregard for privacy by leaving the "SuperCookie" enabled by default in all versions of Windows Media Player. To close the hole on your own system, download the Microsoft patch mentioned at the last link below (it's nearly a megabyte in size). Select View/Options from the menu, select the "Player" tab, and de-select "Allow Internet sites to uniquely identify your player." For more information on "SuperCookies" and a test page that demonstrates them, see the first link below. FURTHER READING Internet Explorer SuperCookies bypass P3P and cookie controls http://extreme.ziffdavis.com/cgi-bin10/flo?y=eOE70Dlvqr0FBU0eOM0AT Windows Media Player must be patched to fix IE (The Register) http://extreme.ziffdavis.com/cgi-bin10/flo?y=eOE70Dlvqr0FBU0eON0AU Windows Media Player 'Super Cookies' Could Help Track Users (Newsbytes) http://extreme.ziffdavis.com/cgi-bin10/flo?y=eOE70Dlvqr0FBU0eOO0AV Microsoft advisory which mentions the problem (Microsoft) (Note: Page may not work with text-based browsers for the blind or visually impaired) http://extreme.ziffdavis.com/cgi-bin10/flo?y=eOE70Dlvqr0FBU0eOP0AW