Windows Media Player ID update

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 01/15/02


Date:         Tue, 15 Jan 2002 16:11:04 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Firstly, as Jon Fiedler <JFiedler@achilles.phrm.cwru.edu> pointed out in
a message he submitted, this privacy issue was addressed by MS01-029
back on May 23, 2001, not long after Richard said he contacted them
about it;

http://www.microsoft.com/technet/security/bulletin/MS01-029.asp

That fix provided a option box for Windows Media Player (WMP) 6.4. WMP
7.0 was updated to WMP 7.1 and included the same option. WMP in Windows
XP (also called WMP 8.0) already included the option.

Its important to recognize that this issue *is not* associated with the
Browser, other than the fact that this happens to be one way to access
the ID. P3P doesn't cover specifics like a ClientID value from Windows
Media Player, and the ClientID is not part of a standard Cookie either
(although it may well be included in one.)

That its possible to use this value to uniquely identify a machine can,
of course, be used for "malicious" acts. This according to Microsoft's
own Security Bulletin;

"This issue could be exploited by a malicious set of web sites to
distinguish a user."

Ergo such methods would never be used by non-malicious sites.

Yet, as Richard points out, even though Microsoft acknowledges the issue
as being exploitable by malicious sites, they still choose not to set
the default on this option to prevent such exploitation. Microsoft went
on to say in the same Security Bulletin;

"Users can protect themselves by installing the above patch or upgrading
to Windows Media Player 7.1, then changing the appropriate settings in
their player as outlined below to prevent sets of websites from
potentially profiling using Windows Media Player."

Suggesting that users would not, by default, want to be protected from
being exploited by a malicious set of web sites.

Interestingly, I cannot find any documentation within MSDN which
describes the perceived purpose of the ClientID value, other than;

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmplay/
mmp_sdk/player6clientid.asp

An extremely benign explanation suggesting only that individual
installations of the WMP control might want to be
distinguished...nothing about it being used to identify a machine (since
most people would appear to only have one installation of the WMP
control on their systems.)

In fixing this problem Microsoft failed to recognize the actual problem.
The technical fix provided an opportunity for a user to stop being
identified without being told they were being identified. It failed
miserably at meeting the user expectation that, unless asked otherwise,
they do not want to uniquely identify themselves to anyone.

How many other unique GUIDs exist in a typical Windows installation?
Hundreds? Thousands? How many are generated for 3rd party applications
that are installed...many! Control over the querying of GUIDs needs to
be an integral part of the connection to the Internet, in the way
cookies are.

Its perfectly understandable that the use of GUIDs would be part of your
connection to the Internet, and that there would be at least session
persistence. AOL used to change the IP address of a given client
mid-connection, causing no end of trouble for server-side storage/logic.
However, it must be understood that "session" and "life-time of
installation" are two very different things. The entire Windows
environment should default to "session", and let the user be prompted
and choose to provide "life-time of installation" information when
queried.

Should you find any "well-known" site which employs the ClientID query,
send me a note, I'll keep a list of these "malicious" sites on
NTBugtraq's website.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

======================================
Delivery co-sponsored by VeriSign - The Internet Trust Company
======================================
FREE E-COMMERCE SECURITY INFRASTRUCTURE GUIDE
When building an e-commerce site, you want to start with a strong, secure
foundation. Learn how with VeriSign's FREE White Paper, "Building an
E-Commerce Trust Infrastructure." See how you can authenticate your site to
customers, use 128-Bit SSL encryption to secure your web servers, and accept
secure payments online. Click here:
http://www.verisign.com/cgi-bin/go.cgi?a=n116965650045000
======================================



Relevant Pages

  • Logon then immediately logoff problem - - solved.
    ... New hard drive, new installation of ... but the Windows Media Player included with XP did not play a DVD movie. ... Downloaded WMP 11 and installed it. ... I repeated the repair with the ERD Commander and again no WMP. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: URGE With Media Player 11 on VISTA
    ... Reinstalling WMP would not and could not address this. ... Windows Media Player cannot possibly address this in any way shape or form. ... See http://zachd.com/pss/pss.html for some helpful WMP info. ... installation to try and determine the issue. ...
    (microsoft.public.windowsmedia.player)
  • Re: WMP 11
    ... and Remove Windows Products to remove Windows Media Player 10, ... box wasn't checked when I tried to load WMP 11. ... I try to add music through the automatic search WMP11 conducts. ... got the DRM Migrate message again and the installation eventually ...
    (microsoft.public.windowsmedia.player)
  • Cannot uninstall or install WMP9
    ... I cannot find WMP in my programs or in Add/Remove Programs to uninstall. ... "Another program installation was not completed. ... You must restart your ... Still no Windows Media Player. ...
    (microsoft.public.windowsmedia.player)
  • Re: WMP 11 Media Sharing Issue
    ... happen between WMP 11 on Vista and WMP 11 on XP. ... Microsoft Windows Media Player product team. ... Newsgroups fall under the Microsoft defined category of "Community". ...
    (microsoft.public.windowsmedia)