Windows Media Player ID update

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 01/15/02

Date:         Tue, 15 Jan 2002 16:11:04 -0500
From: Russ <Russ.Cooper@RC.ON.CA>

Firstly, as Jon Fiedler <> pointed out in
a message he submitted, this privacy issue was addressed by MS01-029
back on May 23, 2001, not long after Richard said he contacted them
about it;

That fix provided a option box for Windows Media Player (WMP) 6.4. WMP
7.0 was updated to WMP 7.1 and included the same option. WMP in Windows
XP (also called WMP 8.0) already included the option.

Its important to recognize that this issue *is not* associated with the
Browser, other than the fact that this happens to be one way to access
the ID. P3P doesn't cover specifics like a ClientID value from Windows
Media Player, and the ClientID is not part of a standard Cookie either
(although it may well be included in one.)

That its possible to use this value to uniquely identify a machine can,
of course, be used for "malicious" acts. This according to Microsoft's
own Security Bulletin;

"This issue could be exploited by a malicious set of web sites to
distinguish a user."

Ergo such methods would never be used by non-malicious sites.

Yet, as Richard points out, even though Microsoft acknowledges the issue
as being exploitable by malicious sites, they still choose not to set
the default on this option to prevent such exploitation. Microsoft went
on to say in the same Security Bulletin;

"Users can protect themselves by installing the above patch or upgrading
to Windows Media Player 7.1, then changing the appropriate settings in
their player as outlined below to prevent sets of websites from
potentially profiling using Windows Media Player."

Suggesting that users would not, by default, want to be protected from
being exploited by a malicious set of web sites.

Interestingly, I cannot find any documentation within MSDN which
describes the perceived purpose of the ClientID value, other than;

An extremely benign explanation suggesting only that individual
installations of the WMP control might want to be
distinguished...nothing about it being used to identify a machine (since
most people would appear to only have one installation of the WMP
control on their systems.)

In fixing this problem Microsoft failed to recognize the actual problem.
The technical fix provided an opportunity for a user to stop being
identified without being told they were being identified. It failed
miserably at meeting the user expectation that, unless asked otherwise,
they do not want to uniquely identify themselves to anyone.

How many other unique GUIDs exist in a typical Windows installation?
Hundreds? Thousands? How many are generated for 3rd party applications
that are installed...many! Control over the querying of GUIDs needs to
be an integral part of the connection to the Internet, in the way
cookies are.

Its perfectly understandable that the use of GUIDs would be part of your
connection to the Internet, and that there would be at least session
persistence. AOL used to change the IP address of a given client
mid-connection, causing no end of trouble for server-side storage/logic.
However, it must be understood that "session" and "life-time of
installation" are two very different things. The entire Windows
environment should default to "session", and let the user be prompted
and choose to provide "life-time of installation" information when

Should you find any "well-known" site which employs the ClientID query,
send me a note, I'll keep a list of these "malicious" sites on
NTBugtraq's website.

Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

Delivery co-sponsored by VeriSign - The Internet Trust Company
When building an e-commerce site, you want to start with a strong, secure
foundation. Learn how with VeriSign's FREE White Paper, "Building an
E-Commerce Trust Infrastructure." See how you can authenticate your site to
customers, use 128-Bit SSL encryption to secure your web servers, and accept
secure payments online. Click here: