The Register® — Biting the hand that feeds IT

Feeds

IE is tough on Flash cookies but ignores homegrown threat

Dear Microsoft: There's a Silverlight log in your eye

By Dan Goodin, 5th May 2011
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Members of Microsoft’s Internet Explorer team are giving themselves a pat on the back for making it easier to delete the privacy menace known as Adobe Flash Cookies. Too bad the IE developers aren't tackling a similar snoop threat embedded in Microsoft's very own Silverlight framework.

On Tuesday, a Microsoft program manager blogged that IE was now able to delete so-called LSOs. Short for local shared objects, the files set by Adobe Flash applications have been used for years as a stealthy means to track computer users' web browsing habits. The cookie-like breadcrumbs carry no expiration date, can (currently) be deleted only by visiting an online settings panel or by installing a third-party app, and can be exploited to restore tracking cookies a user has previously deleted.

Like recent versions of Google's Chrome and Mozilla's Firefox browsers, IE 8 will zap LSOs using an industry-standard technology Adobe is adding to version 10.3 of Flash, which is in beta and slated for general release soon. The so-called NPAPI ClearSiteData API allows users to delete the files the same way they erase HTTP cookies – by using the clear history functions built into each browser's menu bar.

“This means that when you delete your cookies with Delete Browsing History, Flash Player will automatically clear your Flash cookies as well,” IE Program Manager Andy Zeigler wrote. “We applaud the change. It resolves a longstanding privacy issue.”

But there's a separate privacy issue that's all Microsoft's making, and so far the company hasn't taken any meaningful steps to address. It turns out that Silverlight has a scheme known as isolated storage that allows Redmond's Flash-wannabe program to read, write and delete files inside a virtual file system.

“Isolated storage can be used in the same way as cookies, to maintain state and simple application settings, but it can also be used to save large amounts of data locally on the client,” Microsoft Program Manager Justin Van Patten wrote.

What this means is that Silverlight can store huge amounts of data about end users, and deleting these cookies is as kludgy as clearing Flash cookies. Once the Microsoft app stores the data, there's no way to delete it without relying on on the same Microsoft app. The history erasure tools in IE or any other browser, will provide no benefit at all.

"Microsoft is considering adding this capability to Silverlight but we have nothing to share at this time," a spokeswoman for the company said on Wednesday.

For those of you wondering, here's the erasure process, straight from the spokeswoman because we couldn't find it on Microsoft's website:

To delete Silverlight cookies, users should visit a webpage that contains a Silverlight Application. Right click on the Silverlight application, and choose 'Silverlight' from the drop-down menu. In the new dialogue box select the 'Application Storage' tab. Delete all of the content in this box at once or just from the selected site.

El Reg isn't in the habit of quoting scripture, but in Microsoft's case Matthew 7:3 seems appropriate: “Why do you see the piece of sawdust in another believer's eye and not notice the wooden beam in your own eye?” ®

This article was updated to add detail about use of third-party apps. The headline was changed and details added to make clear that the the API was added by Adobe to Flash 10.3, allowing calls put into IE 8 to delete Flash cookies.

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (22)
Highly Rated
Anonymous Coward
Anonymous Coward

The way I delete Silverlight 'cookies'

is by never installing Silverlight in the first place. I recommend it!

But as I understand it, Better Privacy and Ghostery would sort this out if you actually used this particular piece of Microsoft shite.

7
1
Captain TickTock

Tough on Flash...

tough on the causes of Flash

2
0
dogged
Reply Icon

"thank goodness"?

Why? Is

Judge not, that ye be not judged.

For with what judgment ye judge, ye shall be judged: and with what measure ye mete, it shall be measured to you again.

And why beholdest thou the mote that is in thy brother's eye, but considerest not the beam that is in thine own eye?

Or how wilt thou say to thy brother, Let me pull out the mote out of thine eye; and, behold, a beam is in thine own eye?

Thou hypocrite, first cast out the beam out of thine own eye; and then shalt thou see clearly to cast out the mote out of thy brother's eye.

too hard for you?

3
1

More from The Register

breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15
Panda-peddlers cuffed for chess gambling gambit
More porridge on the menu for Chinese coders after second offence
13
breaking news
Yes, maybe we should keep hackers in the clink for YEARS, mulls EU
Watch out black hats, they just might throw away the key
39
Microsoft borks botnet takedown in Citadel snafu
Stupid Redmond kicked over our honeypots, wail white hats
19