Bugtraq mailing list archives
Re: Other file formats that can "phone" home
From: jsl2 () JEDITECH COM
Date: Sun, 3 Sep 2000 21:50:36 -0700
On Sat, 2 Sep 2000, Richard M. Smith wrote:
However, clearly not every web-enabled application has this problem. The key issue is not if the application is web-enabled but if a *file format* supported by an application is web-enabled.
There is really no distinction between web-enabled file formats and web-enabled apps. Privacy Foundation's advisory mentions MP3, so I will use that to illustrate a point: The ID3v2 tag format allows for embedded URLs for things like additional artists' informations, album graphics, etc. Clearly the ID3v2 tags are web-enabled, and any web-enabled MP3 player can be subverted to notify somebody. Now imagine a "smart" MP3 player that can reference an Internet DB for album pictures by using the title in the MP3 tag to perform a query. There need not be any URLs in that MP3 file... put the appropriate keywords in the title and the "smart" MP3 player can potentially be tricked to notifying somebody without the user's knowledge.
For a file format to be "buggable" it needs to support embedded HTML content or links to Web images that are automatically activated when a file is opened.
Strictly speaking that is true; you can't "bug" a FILE that doesn't support web links. But if the goal is to identify potential privacy problems, then we must also include any web-enabled application that can automatically "reach out" without the user's knowledge. Does anyone have know if current web-enabled apps use unique User-Agent strings? For example, I would prefer that MS Word identify itself in the User-Agent string when it retrieves a link over the Web (even if it uses IE's libraries to do so) The point is: - people can block specific applications from the 'Net by a proxy or firewall; - people who do not want Word to identify itself via User-Agent can use a proxy like JunkBusters (or hex-edit the executable!) -James
Current thread:
- Re: Microsoft Word documents that "phone" home, (continued)
- Re: Microsoft Word documents that "phone" home Don Halterman (Sep 01)
- Re: Microsoft Word documents that "phone" home Hal DeVore (Sep 02)
- Re: Microsoft Word documents that "phone" home Rob Slade, doting grandpa of Ryan and Trevor (Sep 01)
- Re: Microsoft Word documents that "phone" home Rex Sanders (Sep 01)
- Re: Microsoft Word documents that "phone" home Kris Kennaway (Sep 01)
- Re: Microsoft Word documents that "phone" home Michael Wojcik (Sep 01)
- Re: Microsoft Word documents that "phone" home Microsoft Security Response Center (Sep 01)
- Re: Microsoft Word documents that "phone" home Terje Bless (Sep 02)
- Re: Microsoft Word documents that "phone" home Brad (Sep 02)
- Other file formats that can "phone" home Richard M. Smith (Sep 03)
- Re: Other file formats that can "phone" home jsl2 (Sep 04)
- Re: Other file formats that can "phone" home Richard M. Smith (Sep 04)
- Sun StarOffice documents that "phone home" and other interesting problems Kurt Seifried (Sep 04)
- Re: Sun StarOffice documents that "phone home" and other interesting problems Luca Berra (Sep 05)
- Leftover data in other files (was Re: Sun StarOffice documents that "phone home".....) jsl2 (Sep 05)
- Re: Leftover data in other files (was Re: Sun StarOffice documents that "phone home".....) Ryan Russell (Sep 05)
- Re: Microsoft Word documents that "phone" home Don Halterman (Sep 01)