« This week in Infosec - 2008-09-01
Security is insurance, not an investment - no ROI »

Microsoft IE 8 InPrivate feature lacking

Security Fail

From ITWorld.com, “Privacy feature in Internet Explorer 8 leaks private data

Forensic experts however found it trivial to retrieve the history, according to a test by Webwereld, an IDG affiliate in the Netherlands, and Fox IT, a Dutch firm specializing in IT security and forensic research.

But researchers were able to retrieve data displaying general information about the browser’s behavior. Although URLs (Uniform Resource Locators) aren’t stored, Prickaerts was still able to restore the browsing history. “The remaining records in the history file still enable me to deduce which websites have been visited,” said Prickaerts.

Even more data is stored in the browser’s cache, a feature designed to speed up performance of websites by storing a copy of recently accessed information on a user’s hard disk. InPrivate Browsing failed to disable this feature. Users seeking a higher level of privacy could manually delete the cache, but it can later easily be retrieved through commonly available forensic tools.

The shortcomings in InPrivate Browsing put the level of privacy protection in Internet Explorer 8 on a par with Firefox 2 and 3. The open source browser allows users to delete all private data, but does that by merely deleting files. Those too can easily be retrieved. Developers have crafted plugins for Firefox which mitigate the risk of information leaks.

Microsoft’s main goal with InPrivate Browsing is to prevent other users of the same computer to gain access to the browsing history, the company said in an e-mail response. The feature isn’t designed to protect a user’s privacy from security experts and forensic researchers, the company said.

I’ll give Microsoft the benefit of the doubt. They do have time to fix these issues before final release.

But really. Come on!

This isn’t rocket science.

Now, I’d be a little less disappointed if the forensic team got the information from memory swap space, or by having to apply cryogenic memory retrieval tactics. This would at least indicate that Microsoft tried.

But from the article, it seems that they retrieved the files right out of the browser’s default local storage.

Here’s what really chafs me…

Microsoft IE runs on Microsoft Windows. Microsoft Windows runs on the hardware.

Microsoft runs the entire system. Memory allocation, process scheduling, you name it.

How can it be that they can fail to develop a simple tool that doesn’t store anything on disk, but uses only in-memory storage?

This is Microsoft doing what Microsoft does best: 80%.

Bill

This entry was posted on Tuesday, September 2nd, 2008 at 9:31 pm and is filed under Microsoft, ORLY. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply