According to a post by privacy advocate Richard M. Smith to the BugTraq mailing list Tuesday, WMP generates by default a serial number which can be grabbed by a Web site using the simple exploit. The number can be used as a 'super cookie', as Smith calls it, enabling a nosey third party to track a victim's on-line comings and goings regardless of their cookie handling rules.
The coding here is embarrassingly simple:
ID=WMP WIDTH=1 HEIGHT=1>
The only fix is for users of older versions of WMP to patch their systems, and then to select the option in WMP which disables the wonderful 'feature' allowing their players to be uniquely identified. (Why anyone in his right mind would desire such a thing is quite beyond me; but the feature, incredibly, is enabled by default.)
Once a user turns off the option, a unique WMP number will be generated for each IE session, so long-term tracking is impossible.
"However, asking the average user to solve an Internet Explorer privacy leak by manually changing settings in a different program seems a bit much to me. Especially considering that there are many people who have never run Windows Media Player, yet they are still vulnerable to the problem," Smith notes.
And indeed, the idea that a media application might be causing a Web browser to leak data in spite of its own security settings would be counter-intuitive to the casual user or computing newbie.
It's only after we've become familiar with Microsoft's habits in security engineering that such a thing begins to make perfect sense. ®