what you don't know can hurt you


Posted Aug 17, 1999

Microsoft has invented new ways to compromise your privacy and snoop on you while you work. These "features" are included now included in Windows 98, Office 97, and even in microsoft.com cookies. The beta versions of Windows 2000 and Office 2000 are also suspect.

tags | exploit
systems | windows, 2k, 9x
MD5 | cb06818c8a12602108b8a834ab46a813


Change Mirror Download
Date: Tue, 11 May 1999 21:55:22 -0600 (MDT)
From: cult hero <jericho@dimensional.com>
To: InfoSec News <isn@repsec.com>
Subject: [ISN] Everywhere your MAC address shows up

Forwarded From: <anonymous>

A special report from YEOW - Barry Simon.

See the Woody's Office Watch discussion and details on the Office 97
privacy problem. Issues 4.11 and 4.12

Because of the important Internet Explorer 5 coverage some regular WWW
features have been held over to the next issue.

We reported earlier on the brouhaha over the inclusion of hardware IDs in
the Pentium III chip and privacy advocates' concerns about it. Turns out
many of us already have hardware IDs on our systems since all Ethernet
cards have a MAC (stands for 'Media Access Control', whatever that
means!), a six byte ID number that networks need to be sure to properly
direct network packets. Of course, the Pentium III ID's are more serious
since many home systems don't (yet) have network cards and the biggest
privacy concerns are in the consumer space.

Due to wonderful sleuthing by Richard Smith of PharLap (who earlier
located the April Fool's Bug discussed in WWW issue 2.2), the world has
discovered a number of places that Microsoft has been using these MACs -
in Windows 98 IDs, in Office 97 documents and in the microsoft.com
cookies. And privacy concerns result from all these uses.

To understand the issues, try a few experiments. First, you'll need your
MAC assuming you have an Ethernet adapter. With Windows 9x, run the
program winipcfg from the Run box. It should load with a dropdown that
says 'PPP Adapter'. Change the dropdown to the name of your hardware
adapter. The Adapter Address field will say something like
00-70-06-9A-8E-43. That's your MAC. Each byte is presented as two hex
digits (0 through 9 or A-F) for a 12 character ASCII string which is what
Microsoft uses. With Windows NT, run instead winmsd, go to the Network
tab and pick Transports and you'll get the MAC.

For the next experiment, you'll need to look at a Word 97 document in text
mode. You can't do this with Word. If you have Quick View Plus (plain
Quick View won't do), open a Word doc in QVP, go to the View menu and pick
View as Text. Or make a small Word doc, save it and rename it to a .txt
extension and open it in Notepad. Now search for the string PID. You
should find _PID_ GUID and shortly afterwards, a long hex string inside
braces such as {F96EB3B9-C9F1-11D2-95EB-0060089BB2DA}. Those 12 hex digits
at the end will be your MAC. Yup, every Word doc, every Excel spreadsheet
and every Power Point presentation is branded with an identifier showing
the PC it came from. If your boss has a Word memo you sent her and a copy
of the anonymous whistle blowing attachment you sent to the Feds, she
could determine they were made on the same machine. (Of course, if you
aren't careful, the document includes an author name and if any
corrections were made, it may say who made the corrections. Within the
next few days, Microsoft expects to post a white paper on all the
'metadata'; embedded in Office documents).

To run the next experiments, you'll need Windows 98, so I'll tell you what
happens so you can follow along in any event. In your Windows directory,
you'll find a file called reginfo.txt. Open it in Notepad and look for a
line called HWID; it ends with your MAC. This file is created when you
install Windows and is transmitted to Microsoft when you register. And
here's the clincher: even if you check the box not to send hardware
information, this data is sent. And it's even worse - the data collection
code is in an ActiveX control that can be used by any Internet site out
there. Pharlap has a demo to illustrate this: go there and it displays
your MAC on screen. Any site knowing of this control could track MACs of
all Windows 98 visitors to their sites. There is also a demo and
discussion at Windows Magazine. By the way, this ActiveX control is also
in the Windows 2000 beta so if Microsoft hadn't been found out, NT users
would have been hit next.

Next, go to your cookies directory and open the text file whose name ends
with microsoft.txt (it probably has a username@ in front where username is
your login name). In it you'll find a string called GUID that includes
your MAC (GUID, by the way, is short for Global Unique Identifier). This
cookie is sent to www.microsoft.com every time you visit that site. You
may have realized they were making a cookie when you registered at their
site but I bet you didn't realize they were adding hardware information
without your permission. (Actually the Win98 Registration Wizard made the
cookie before you went to the Microsoft site.)

You might want to search your Registry for your MAC as a string. I found
mine numerous times - two in suspicious places viz a viz Microsoft. It's
part of a key for Media Player called Client ID (is this passed on to the
Media Player servers?) and as part of a key HKCU\Identities that seems to
be connected with Outlook Express 5.0.

There is certainly plenty here for the paranoid. Microsoft is collecting
and storing in its databases unique hardware information. That
information brands your documents, and is always sent on when you access
Microsoft's site. One has to consider the possibility that Microsoft is
keeping some master database tracking all sorts of interactions based on
your MAC. And one has to allow the possibility that the MAC will be
encoded in the information that is sent by the Office Registration Wizard
in Office 2000.

Microsoft has reacted vigorously to the developments in this story. They
have two customer letters ( here and here) on their site in which they
promise to remove the hardware ID part of the registration wizard in a
Win98 upgrade. They also promise to delete 'any hardware ID information
that may have been inadvertently gathered without the customer having
chosen to provide Microsoft with this information.' Tools have already
been posted to remove branding from Office applications and from
already-created docs and there is a promise that branding will be removed
>from the final version of Office 2000.

Beyond these actions, there has been a full court spin operation. Some MS
representatives have (unwisely in my opinion) attempted to minimize the
issue. There have been claims that the doc branding was a part of a
feature, never implement, intended solely to help network administrators.
There has been harping on the fact that the MAC only identifies a machine
but not an individual - true but not of much comfort in many cases. We've
been told that Windows 98 sending a HWID even if you said not to send
hardware information was a bug, not a feature - an inadvertent programming
error. There's been no new statement about the use of MACs in cookies
which I find most disturbing.

We've been told by Microsoft representatives that the Office 2000
Registration Wizard doesn't collect MACs or anything like a MAC. Indeed,
they claim that while the Office CD serial number can be reconstructed
>from the 16 byte code sent by the wizard, the hardware info does not allow
reconstruction. In particular, if the different CDs were used on the same
machine, they'd be unable to tell that the codes came from the same


The problem with the Microsoft position is that the company has so little
credibility and there is too much of a pattern here. We pride ourselves
on taking a middle road on Microsoft at Woody's newsletters. We don't
hesitate to put their feet to the fire but, on the other hand, we don't
take the position that Microsoft is the root of all evil and everything
they say and do is two faced. That said, Woody's middle name isn't Polly
and mine isn't Anna. Microsoft has amply demonstrated that it is company
policy to, er, shade the truth when doing so serves a perceived business
purpose. We see it in the leaked disinformation about Windows 2000
shipping this fall, we've seen it in their previous reactions to
accusations and we saw it too often in the testimony at the DOJ trial.

That means one has to take skeptically every statement that Microsoft has
made about the MAC problem. I'm inclined to believe that branding of
Office documents wasn't part of a plot to link together our entire lives
in Microsoft's databases. But I'm insulted that they try to bat their
eyelashes and claim to us that the sending of the HWID even when you told
them not to send hardware info was an inadvertent error. And I'm
concerned that we have no way of knowing that they've kept their promise
to remove hardware IDs from their internal databases. Indeed, my
presumption is that they will not.

I worry that Microsoft is tucking all sorts of things into the holes they
aren't discussing. While they have said they'll stop using HWID, they
have also said they'll continue to use the MSID number which is created by
the Windows 98 Registration wizard. And, guess what? As discovered by
Peter Siering at the German publication C'T Magazine, the registration
wizard also creates a Microsoft cookie that includes MSID. So even after
the apologies and changes, it seems Microsoft will be quite capable of
tracking us and linking online visits to registration information.

It's interesting about credibility. There was also an Intel slip reported
recently that they claimed was inadvertent. Apparently some mobile
Pentium II's shipped with hardware IDs even though these were only
announced for Pentium III's. Intel's explanation is that they experimented
with this feature in the manufacturing process for the mobile Pentium II
but it was supposed to be disabled before shipping. One line
inadvertently didn't do the disabling. Intel's credibility is such that
I'm willing to accept their claim of inadvertence here.

Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2019 Packet Storm. All rights reserved.

Security Services
Hosting By