lowmanio.co.uk title image

Windows cookies

Wed, 28 Sep 2011 05:43PM

Category: Digital Forensics & Malware

Written by Sarah | No comments

Windows released a security update on the 9th August which means that cookies are no longer stored in the usual <username>@<service>.txt, but are now a random set of 8 alphanumeric characters, e.g. A1B2C3D4.txt. It seems this has broken a lot of software, especially those than delete cookies as they probably rely on the fact that cookies had a very conventional naming method. Old cookies stay the same as you can see from the below screen shot of my cookies folder.

Screen shot of my cookies folder. The cookies now have a different naming convention.

The change came about as a solution to a 'Drag and Drop Information Disclosure Vulnerability'. From the Microsoft Security Bulletin page, this vulnerability means that:

An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow information disclosure if a user viewed the Web page and performed a drag-and-drop operation. An attacker who successfully exploited this vulnerability could gain access to cookie files stored in the local machine.

The update addresses the vulnerability by modifying the way that Internet Explorer accesses files stored in the local machine and manages cookie files. This includes a change in the way that Internet Explorer sets file names for cookie files to help make cookie file names less predictable.

Read more about the vulnerability here. So in terms of forensics, AFAIK nothing has changed in terms of the contents of the cookies, but some pieces of software might break when trying to identify them.

Tagged with: Internet Explorer, cookies


No comments.

Add a comment