By David Methvin,
A Windows Magazine investigation has shown the recently reported privacy concern with Microsoft's Windows 98 Registration Wizard goes much deeper than previously reported.
It's not only possible for any website to read information that uniquely identifies you and your PC, but that information can be modified and/or sent to Microsoft without your consent.Last week, Richard Smith of Phar Lap Software first identified a risk with the Registration Wizard, or RegWiz. (The Phar Lap discussion of this problem is at http://security.pharlap.com/regwiz/index.htm).
Win 98 uses RegWiz to process your product registration form and submit it to a Microsoft server over the Internet. Two identification numbers are generated based on your PC configuration and the data you enter during registration. The first number, called the hardware identification number (HWID), can, in most cases, uniquely identify the computer. A second number, called the Microsoft ID (MSID), uniquely identifies a user and is placed in a browser cookie for access to services on Microsoft's website.
Windows contributing editor Martin Heller examined the interface to RegWiz and discovered not only does the control allow the HWID and MSID numbers to be read by any site, but it also lets them be changed. That means any Web page can alter these ID numbers, and can even do so without your knowledge. A demonstration that uses RegWiz to read and set this information can be found at http://www.winmag.com/web/regwiz.htm.
RegWiz also includes the ability to send a PC's registration information to Microsoft. This can be triggered from any Web page without the user's consent. When this function is used, a small window appears that says "Sending the registration information to Microsoft ... Please wait." Other than disconnecting from the Internet, there is no way for a user to stop the transfer once it has started.
In response to the privacy concerns raised by the Registration Wizard, Microsoft has said it will no longer record the HWID information when a user registers, and will elminate any use of the HWID information that might currently be in their databases. The company said it also expects to have a utility available within two weeks that deletes the HWID personal registration data from the registry. It is possible to disable RegWiz and remove the information manually by using the Win 98 registry editor, and we have provided instructions for doing this at http://www.winmag.com/web/regwizoff.htm..
Try TechWeb's RSS Feed!Cirrus Logic seeking Digital IC Design Engr in Austin, TX
Hebrew SeniorLife seeking Senior Network Analyst in Boston, MA
Agilent seeking NPI Project Manager in Shanghai, CN
UC Berkeley seeking Helpdesk Team Lead in Berkeley, CA
Rohm and Haas seeking Product Portfolio Manager in Philadelphia, PA
For more great jobs, career-related news, features and services, please visit our Career Center.
TechWeb's FREE e-mail newsletters deliver the news you need to come out on top.
Get definitions for more than 20,000 IT terms.
Editorial and vendor perspectives
