Windows cookies

Windows released a security update on the 9th August which means that cookies are no longer stored in the usual <username>@<service>.txt, but are now a random set of 8 alphanumeric characters, e.g. A1B2C3D4.txt. It seems this has broken a lot of software, especially those than delete cookies as they probably rely on the fact that cookies had a very conventional naming method. Old cookies stay the same as you can see from the below screen shot of my cookies folder.

Screen shot of my cookies folder. The cookies now have a different naming convention.

The change came about as a solution to a ‘Drag and Drop Information Disclosure Vulnerability’. From the Microsoft Security Bulletin page, this vulnerability means that:

An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow information disclosure if a user viewed the Web page and performed a drag-and-drop operation. An attacker who successfully exploited this vulnerability could gain access to cookie files stored in the local machine.

The update addresses the vulnerability by modifying the way that Internet Explorer accesses files stored in the local machine and manages cookie files. This includes a change in the way that Internet Explorer sets file names for cookie files to help make cookie file names less predictable.

Read more about the vulnerability here. So in terms of forensics, AFAIK nothing has changed in terms of the contents of the cookies, but some pieces of software might break when trying to identify them.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s