Watch out for cookies when using the Microsoft AntiSpyware beta

Last year I blogged about Microsoft’s acquisition of Giant Software and I’ve been using their AntiSpyware Beta since it was made available in January; but last week I was looking at the inordinate amount of spam my Dad receives and that got me thinking about the overall security on his PC (which has my e-mail addresses in the address book!). After installing Lavasoft Ad-Aware SE Personal, I found that the Microsoft AntiSpyware Beta product he had been using was doing a pretty good job, but there were a load of tracking cookies which it had not identified. Today, I ran the same tests on two of my PCs and found the same.

As the Microsoft product is based on Giant’s well-regarded software I decided to look a bit deeper…

It turns out that although the Giant version of the product scans for cookies, the Microsoft version does not as they are not regarded as a threat (despite Ad-Aware classifying them as critical objects). In their information for Giant AntiSpyware users who have active subscriptions, Microsoft says:

“Giant AntiSpyware detects and removes cookies from your computer. Because many Web sites require the use of cookies to enable a great user experience, Windows AntiSpyware (Beta) does not remove cookies.”

So are cookies a threat? The answer is both “Yes” and “No”. Quoting from an HP article on where spyware hides:

“Cookies can help users streamline online transactions, remember browsing preferences and user profiles, and personalize pages. Many users don’t realize that cookies can be used to compile data so companies can construct a profile about the websites they visit and the web banner advertisements they click through. This information is mined so companies can deliver targeted ads.

Some websites respectfully use temporary cookies (session cookies) that disappear when you close the browser. Many more websites use persistent cookies that remain on your hard drive indefinitely. Microsoft Internet Explorer and Netscape Navigator, the two most popular browsers, still send out existing cookies even if you’ve disabled cookies in your browser settings. This means you must delete cookie files manually to keep from being tracked by third-party ad networks and spyware providers.”

And from the privacy.net cookie demo:

“Some common uses for Internet cookies are:

  • An anonymous code given to you so the web site operator can see how many users return at a later time. These cookies are configured to stay on your system for months or years and are called “persistent” cookies.
  • A code identifying you. This usually occurs after a registration. The site could keep a detailed account of pages visited, items purchased, etc. and even combine the information with information from other sources once they know who you are.
  • A list of items you purchased. This is often used in “shopping cart” web sites to keep track of your order. Often cookies of this type ‘expire’ as soon as you log out or after a short time. These are called “session” cookies.
  • Personal preferences. This can be anonymous or linked to personal information provided during a registration.

Cookies are supposed to be only accessible from the site that placed them there. However, in some cases cookies from other sites show up in the log files so it is not a secure way to authenticate a user.”

So you can see that session cookies are fine. So are some persistent cookies (e.g. the one which tells the BBC website where I live so it can give me localised information); but most of the ones I found were tracking cookies for advertising sites. These are not good and I urge Microsoft to include cookie detection in the release version of Microsoft AntiSpyware (perhaps using the SpyNet AntiSpyware community to distinguish between good and bad cookies?).

Finally, for anyone worrying about what happens when their version of the Microsoft AntiSpyware Beta expires at the end of July, Microsoft has started to push updates and one of my PCs upgraded itself to version 1.0.614 today, which expires at the end of December. The others are still on 10.0.501 but I expect to see them do the same over the next few weeks.

Further reading

Adware/Spyware thread (pcreview.co.uk)
Cookie demonstration (privacy.net)
Microsoft AntiSpyware: Torn Apart

2 thoughts on “Watch out for cookies when using the Microsoft AntiSpyware beta

Leave a Reply