CONSUMER ALERT

MIKE COX
 ATTORNEY GENERAL

The Attorney General provides Consumer Alerts to inform the public of unfair, misleading or deceptive business practices, and to provide information and guidance on other issues of concern.

Internet Security Advisory
 
Patch the Hole in Your Cookie Jar!

Microsoft has developed a "patch," or software update, that users can download and install to repair a serious security flaw in recent releases of its popular browsing software, Internet Explorer, versions 5.5 and 6.0 for Windows.  (Earlier versions of Internet Explorer are no longer supported by Microsoft but may also be affected by this vulnerability.)  Microsoft’s action comes after independent computer security experts recently discovered, confirmed and reported that certain information placed on a user’s computer by websites they visit is vulnerable to retrieval by intruders.

Microsoft has characterized the maximum severity rating of this flaw as "critical."  Details about this security risk and instructions on downloading the software patch are available on Microsoft’s website. 

In a nutshell, the flaw in Internet Explorer 5.5 and 6.0 would allow unknown persons to access Internet "cookie" files on your computer.  Access to these files can allow a malicious intruder to unlock sensitive, personal information you have provided to websites when you registered or opened an account at those sites.

In order to understand this threat, it is helpful to have a basic understanding of how cookies are used.  Cookies are not programs, but rather simple text files placed on your computer by websites you visit.  "First-party cookies" are placed by the website you are visiting for the purpose of allowing the site to recognize you when you visit the site in the future. "Third-party cookies" are typically placed by Internet advertising or tracking companies that are present (though often undetectable) at the site you have chosen to visit and may be used to track your browsing behavior over time and across different websites.  By design, only the website that originally placed the cookie on your computer should be able to read the information stored in that cookie.

The primary risk presented by the security flaw in Internet Explorer centers on first-party cookies - the theft of the personal information that you have provided to a website and that has been associated with the website’s first-party cookie placed on your computer during your previous visit to the site.

Here is an example - if you establish an account at an online business (perhaps because the website requires registration), you may be asked to provide sensitive personal, financial, or medical information, depending on the nature of the website and your activity at that site.  Your personal information is stored by the website and associated with a unique identification number ("unique ID") contained in the cookie that the website has placed on your computer.  This unique ID allows the website to recognize your computer immediately when you return to that website at a later time.  When the website recognizes the unique ID stored in the cookie it previously placed on your computer, the site may allow you access to your account information directly without requiring you to prove your identity in some other way, such as entering your user name and password.  The website would simply retrieve your account information that it has associated with the unique ID in the existing cookie on your computer.

The security flaw in Internet Explorer is that persons other than the website that placed the cookie can read- and modify - the information in your cookie files.  The vulnerability could permit a thief to obtain and present your cookie information to a website that has collected your account information, which in turn could allow the thief to obtain access to your personal information or to make a purchase in your name using your credit card!

To protect consumers against cookie monsters on the Internet, the Attorney General’s office urges consumers to visit Microsoft’s website (address given above) to download and install the patch Microsoft has developed to plug this security hole.

Patches for Other Programs.  Microsoft and other software vendors frequently make patches available to users at the vendors’ websites.  Consumers should consider visiting the websites of any software products you use to find out whether patches or updates have been posted.  Consumers using Microsoft’s Outlook for e-mail, for example, may wish to visit Microsoft’s website to read Microsoft’s discussion and to download security patches for Outlook at office.microsoft.com/downloads/2000/Out2ksec.aspx. 

Controlling Cookies.  Users who are concerned about compromising their security and privacy through the use of cookies are encouraged to review the options available in their browsers.   Current versions of browsing software - including Netscape Communicator and Opera, as well as Internet Explorer - provide users with greater control over the use of cookies, including the options of rejecting third-party cookies or directing the browser to discard cookies when the browser is closed.  Users should consult their browser’s help features to learn more.  (Consumers may also wish to the prior articles on Controlling Cookies [revised] and Who Left the Cookies in the Cyberjar? [revised] for additional information.) 

Other Steps Consumers Can Take to Protect Their Computers.  The Attorney General strongly advises consumers to learn about, use, and maintain up-to-date versions of software designed to protect their computers against unauthorized access to their computers as well as the installation of computer viruses and worms -- malicious, destructive programs that may sneak their way into your computer system while you are surfing the Internet or using your e-mail software.  Consider using both:

·        Firewall software to protect against unauthorized access to your computer; and

·        Anti-virus software to keep dangerous programs off your computer. 

Stay Informed.  In addition to installing and maintaining protective software, interested consumers may wish to do their own research on the Internet to learn more.  In addition to many commercial sites devoted to computer security, one useful website maintained by the United States Department of Justice is the National Infrastructure Protection Center, which contains articles for consumers on Password Protection and Computer Security.

Consumers should be aware that the ease with which large amounts of information can be acquired, compiled, combined, shared, and sold has led to a dramatic rise in reported cases of identity theft -- the fraudulent use of another individual’s personal information.  Consumers are urged to take care to protect their personal information, whether online or in the "real world."  If you suspect your personal information has been misused or if you want to know more about how you can reduce your risk of becoming a victim of identity theft, visit the Federal Trade Commission’s consumer website at www.consumer.gov and review the information in the ID Theft pages.