Feeds

IE is tough on Flash cookies but ignores homegrown threat

Dear Microsoft: There's a Silverlight log in your eye

Intelligent flash storage arrays

Members of Microsoft’s Internet Explorer team are giving themselves a pat on the back for making it easier to delete the privacy menace known as Adobe Flash Cookies. Too bad the IE developers aren't tackling a similar snoop threat embedded in Microsoft's very own Silverlight framework.

On Tuesday, a Microsoft program manager blogged that IE was now able to delete so-called LSOs. Short for local shared objects, the files set by Adobe Flash applications have been used for years as a stealthy means to track computer users' web browsing habits. The cookie-like breadcrumbs carry no expiration date, can (currently) be deleted only by visiting an online settings panel or by installing a third-party app, and can be exploited to restore tracking cookies a user has previously deleted.

Like recent versions of Google's Chrome and Mozilla's Firefox browsers, IE 8 will zap LSOs using an industry-standard technology Adobe is adding to version 10.3 of Flash, which is in beta and slated for general release soon. The so-called NPAPI ClearSiteData API allows users to delete the files the same way they erase HTTP cookies – by using the clear history functions built into each browser's menu bar.

“This means that when you delete your cookies with Delete Browsing History, Flash Player will automatically clear your Flash cookies as well,” IE Program Manager Andy Zeigler wrote. “We applaud the change. It resolves a longstanding privacy issue.”

But there's a separate privacy issue that's all Microsoft's making, and so far the company hasn't taken any meaningful steps to address. It turns out that Silverlight has a scheme known as isolated storage that allows Redmond's Flash-wannabe program to read, write and delete files inside a virtual file system.

“Isolated storage can be used in the same way as cookies, to maintain state and simple application settings, but it can also be used to save large amounts of data locally on the client,” Microsoft Program Manager Justin Van Patten wrote.

What this means is that Silverlight can store huge amounts of data about end users, and deleting these cookies is as kludgy as clearing Flash cookies. Once the Microsoft app stores the data, there's no way to delete it without relying on on the same Microsoft app. The history erasure tools in IE or any other browser, will provide no benefit at all.

"Microsoft is considering adding this capability to Silverlight but we have nothing to share at this time," a spokeswoman for the company said on Wednesday.

For those of you wondering, here's the erasure process, straight from the spokeswoman because we couldn't find it on Microsoft's website:

To delete Silverlight cookies, users should visit a webpage that contains a Silverlight Application. Right click on the Silverlight application, and choose 'Silverlight' from the drop-down menu. In the new dialogue box select the 'Application Storage' tab. Delete all of the content in this box at once or just from the selected site.

El Reg isn't in the habit of quoting scripture, but in Microsoft's case Matthew 7:3 seems appropriate: “Why do you see the piece of sawdust in another believer's eye and not notice the wooden beam in your own eye?” ®

This article was updated to add detail about use of third-party apps. The headline was changed and details added to make clear that the the API was added by Adobe to Flash 10.3, allowing calls put into IE 8 to delete Flash cookies.

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.