~ Tutti all'opera! ~ Essays ~
      spirale2    Fravia's
special
pages

The case for NOT using Microsoft's explorer
The Unbearable Lightness of persistence
by A+heist
heavily edited by fravia+
January 2001
A+heist seems to have taken this from a /. series, but I reckon it's quite important to publish: repetita juvant

As even idiots nowadays are aware of, many a software attempts to track what you do on the web (and what files did you handle) without telling anything to you.
Such software trojans are called malwares here @ fravia's (and elsewhere), but you'll be able to find many other names for these covert snooping activities all over the web. (snoopers, concealed activities, phoning home...).
Since Joe the luser doesn't understand a jack, there's a lot of money to be made selling or trading the data he delivers and sputters around without even knowing it. These data must be gathered in order to be sold... thus the growing use -inter alia- of trojan software.
The "Old" Trojan software approach was relatively risky, though, because it had to send the gathered data over the web to some specific address... wouldn't it be better if those data were stored ON YOUR OWN COMPUTER, of course without you knowing or understanding it, and easily used or perused by any third party when you gappily browse the web? That's what's nowadays possible thank to Microsoft explorer. Note that this service can be used by OTHER software producers as well... Microsoft has made it possible for anyone to store info on your own harddisk without you being aware of it... and some software producers are already actively taking advantage of this...

For instance, as you might NOT know, ACDSee has a "feature"of storing a complete database of everything you saw with their software (complete paths and filenames, togeter with small thumbnails sometimes). Great "feature" once you understand that OTHER PEOPLE can also get at it, eh?
By the way: don't you think, as I do, that it is funny how all intrusions that tramp your privacy rights are called 'features' nowadays? And I believe it is even more funny, or sad, come to think of it, that not only slaves and "hoi polloi" web-commoners, but even reversing-savvy and other people that should know better fall for that: "Hey, if M$IE does what I need, why should I care if some of my data data are reported somewhere? You'r just bashing Microsoft... I'm not into anything illegal, duh"... as if that were the problem... poor suckers.

The idea that there might be some users (for instance me) that DO NOT WANT the whole world to know what they have been looking at on their own computer does not even come to their minds.

Yet in the "malwares" arena nothing can beat the most recent version of Microsoft explorer with its "userdata persistence".
M$IE's trademarked and copyrighted userData behavior persists data across sessions, using one UserData store for each object.
The UserData store is "persisted" in the cache using save and load methods. Once the UserData store has been saved, it can be reloaded even if Microsoft Internet Explorer has been closed and reopened. And even if you have cleaned all your cookies and everything else in sight.
You dig what this mean? Re-read the sentence above please... now think...

Sounds just like sorta new cookies, eh? I bet you didn't know that M$IE version 5 (or more) had this persistence "feature". Did you? Ok, you knew already, 'coz you did read the relevant Bugtraq advisory, sorry if I ever had some doubts :)

"Oh boy... I knew that... in fact that's pretty useful, so I don't have to tip everytime the whole URL/password/data eh... You'r just bashing Microsoft..."
Poor sucker.
The problem IS NOT the fact that M$IE saves your searches and your inputted form data inside form boxes automatically for you.
The real problem here is that these "persistence" stuff can be manipulated ad hoc through Javascript in order to store and load data, by any web-savvy web page author.
Once more: re-read this last sentence and understand its implications... scary eh?

Yes, everyone with half a brain knew that M$IE saved all the previous data that you type into a search box -say at AltaVista- but I didn't know (and I'll bet you that most people still don't know) that a web page could use this same technology in a similar manner that cookies are used.

Ok, you want to understand exactly what I'm speaking about: try this yourself if you've got M$IE version 5 (or higher)... and you should NOT have it, as you will soon discover :)
Go to www.microsoft.com, click on the Support menu up top, then click on Knowledgebase...
Enter some search terms -one or two search terms about something whatsoever- now close out, wipe out your History, wipe out your Temporary Files and all the bazaar.
Then wipe out cookies.
Wipe out everything you find suspect, go ahead.
Now browse back in and check M$-Knowledgebase.
Great! Hurrah! It remembers your search term, because as a matter of fact some SECRET INFO has been written on your own harddisk in some XML file buried deep somewhere.

Of course, as all sparrows are singing by now, the first thing to do immediately after installing Internet explorer... and before it uploads the whole contents of your hard drive to microsoft... is to disable ANY scripting support. If you do not, you'll sooner than later learn this from your own hard experience, "helped" by the never ending barrage of scripting exploits produced all over the web.

This 'persistence' depends on scripting support. I cannot guarantee that all sorts of Microsoft "persistences" works like this, however the persistence I've watched in Microsoft explorer use XML to store data on the user's hard drive, and this data is known as -surprise- "userdata". This "userdata persistence" can be seperately disabled, just like cookies, in the M$IE security preferences (under "allow userdata persistence").
If you want to take a look at what such "userdata" has already stored inside your computer, check out the XML files stored in (under win2k) "\Documents and Settings\username\Application Data\Microsoft\Internet Explorer\Userdata\" In theory this userdata can only be read from the same place that wrote it, much like cookies. It works from different locations inside your hard drive as well, different directories cannot -in theory- read eachothers userdata. Thus some bozos believe that this feature could be quite handy, since it allows for more data-storage (in terms of bytes) than cookies, and it is in XML.
The difference with this is it can just fill up a database, recording everything you do. While advertising is certainly the most likely commercial application, such tactics could be used in other ways such as legal action. Its also a good way of enforcing censorship in controlled environments for many target audiences.

Whether this (hidden) information may really be of great value may be debatable, but I wouldn't want anybody (especially low-life forms like marketers) to know what social vice website I view nor my preferred political or religious sites, nor the sites I visit in other countries etcetera.
Just because the chances of such info being used are small doesn't mean this info won't be used, duh.
Inside M$IE 5.1 there is also an option (in the advanced tab) called "Enable Page Hit Counting". Here is what the Help says about it:
     Specifies whether you want Internet Explorer to allow Web 
     sites to track your Web page usage. Selecting this check box 
     allows sites to create a log on your computer of which pages 
     you view, even when you are viewing Web pages offline. 
     That log is sent to the site the next time you go to it. 
     By tracking the usage and popularity of specific Web pages, 
     content providers can tailor future content to match your 
     interests.
As usual Microsoft did chose the most innocuous and eufemistical description and name as possible.

Oddly enough, in M$IE vesion 5.5, that option is still there, and enabled by default. HOWEVER, instead of being listed as "Enable Page Hit Counting" it is simply a blank field beside a checkbox. If you right-click it and do a "What's this" on it, it lists the same text you just output...
Perhaps this is some kind of "feature" to keep people from turning it off? Who knows? Isn't it disturbing to know they're trying to hide it?

So, in version 5.1, they have "Enable Page Hit Counting" and "Userdata Persistence", and in version 5.5 they have "Userdata Persistence", and the page hit counting option is unlabelled (but at least still present).
You may want to ask Microsoft what they have to say about this crap.

Does this have anything to do with Passport?
It would seem that Passport is little more than a cookie circumvention process in order to provides commercial bastards with way more data than cookies can.

While you are looking at those darn tabs inside M$IE, there's plethora of potential security issues that you can (try to) mitigate. Microsoft was nice enough to at least provide the options (given that one luser out of 1000 has ever given a look to these settings, they probably can afford to leave them there...), yet Microsoft was not nice enough to choose the secure default...

Advanced Tab
-----------
Profile Assistant (Allows web sites to upload information about you from somewhere. The Windows Address Book?)
Install on Demand (Web sites can install "Web Components" on demand. Vague enough for you?)
Of course you should always search from the Address bar, unless you want to tell MSN what you are looking for...

Security Tab
------------
ActiveX control settings (duh)
Tons of Script options which have known issues (which is why they are in this dialog box in the first time, duh)
Automatic Logon (Sends your weakly encrypted NTLM network password hash to anyone who asks)

You know what these automatic logon "NTLM credentials" are? It's your local NT logon, bozo.
Apparently if you are are MYBOX\Administrator, M$IE will happily advertise this and a weak hashed password to anyone who asks.
Now put up a nice porn-site as a lure (+fravia, this should go in the lure section, eheh :)... how many admins are surfing porn sites as MYDOMAIN\Administrator right now?

As a matter for further developments on this track: whenever I find myself somewhere forced to use this explorer crap (I myself prefer Opera or even Lynx, of course) I later discover files (not bugs-images: files, duh) on my computer, which come evidently from web sites that I have never visited... matter for thoughts, eh?


A+heist, January 2001
You cannot email me, I only use one-shot "throwaway" email addresses
Finally, since we are on a "Opera-related" page, a famous svdism (Svd's wisdom):
"hit ctrl-B in opera. Then LEARN it by mind!"
you'll thank me more than once for this advice...

back to tutti all'opera!
Back to tutti all'opera!
(c) 1952-2032: [fravia+], all rights reserved