Re: Microsoft Word documents that "phone" home

[Kris Kennaway <kris () FREEBSD ORG>]

On Wed, 30 Aug 2000, Microsoft Security Response Center wrote:

> Microsoft has posted a response to this advisory,
> entitled "Cookies and Word Documents", available at
> http://www.microsoft.com/technet/security/cookie.asp

Yeah, but claiming that "Any web-enabled application can, by definition,
contact a web site" seems to miss the risk here. Word processing documents
and the like have traditionally not been "internet-aware", so this kind of
behaviour would come as a surprise to most people, even those who
understand the privacy risks associated with cookies in a browser context.
In other words, most people probably don't think of their spreadsheet or
word processor as being "web-enabled".

I'm sure this kind of internet-integrated document behaviour is going to
become more widespread over time (like it or not), but any new paradigm
causes an unavoidable lag time before people catch up to thinking about
things along the new lines. IMO it's not good security practise to
introduce new vulnerabilities which will be tripped over by unsuspecting
people who are still looking at things in the old, familiar context.

Parenthetically, the majority of internet users probably have cookies
enabled and always will, which means that they are vulnerable to document
tracking in this form.

Kris

--
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe () alum mit edu>