Merit Network
 Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives
Network Security
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Win98 Privacy Problem

  • From: Paul Howell
  • Date: Sat Mar 13 08:15:57 1999 
Win 98 Privacy Issue: Worse Than You Thought
http://www.techweb.com/wire/story/TWB19990312S0008

A Windows Magazine investigation has shown the recently reported
privacy concern with Microsoft's Windows 98 Registration Wizard goes
much deeper than previously reported.

It's not only possible for any website to read information that
uniquely identifies you and your PC, but that information can be
modified and/or sent to Microsoft without your consent.Last week,
Richard Smith of Phar Lap Software first identified a risk with the
Registration Wizard, or RegWiz. (The Phar Lap discussion of this
problem is at http://security.pharlap.com/regwiz/index.htm).

Win 98 uses RegWiz to process your product registration form and
submit it to a Microsoft server over the Internet. Two identification
numbers are generated based on your PC configuration and the data you
enter during registration. The first number, called the hardware
identification number (HWID), can, in most cases, uniquely identify
the computer. A second number, called the Microsoft ID (MSID),
uniquely identifies a user and is placed in a browser cookie for
access to services on Microsoft's website.

Windows contributing editor Martin Heller examined the interface to
RegWiz and discovered not only does the control allow the HWID and
MSID numbers to be read by any site, but it also lets them be
changed. That means any Web page can alter these ID numbers, and can
even do so without your knowledge. A demonstration that uses RegWiz
to read and set this information can be found at
http://www.winmag.com/web/regwiz.htm.

RegWiz also includes the ability to send a PC's registration
information to Microsoft. This can be triggered from any Web page
without the user's consent. When this function is used, a small
window appears that says "Sending the registration information to
Microsoft ... Please wait." Other than disconnecting from the
Internet, there is no way for a user to stop the transfer once it has
started.

In response to the privacy concerns raised by the Registration
Wizard, Microsoft has said it will no longer record the HWID
information when a user registers, and will elminate any use of the
HWID information that might currently be in their databases. The
company said it also expects to have a utility available within two
weeks that deletes the HWID personal registration data from the
registry. It is possible to disable RegWiz and remove the information
manually by using the Win 98 registry editor, and we have provided
instructions for doing this at
http://www.winmag.com/web/regwizoff.htm..

For more technology news, visit http://www.techweb.com


Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.