Windows Update Changes IE Cookies Names
Anyone who has read my blog knows how I feel about automatic software updates. My previous posts include
This week one of the critical updates from Microsoft made a change in how cookie names are displayed by WinPatrol. This is a minor annoyance and I expect it will affect other programs in one way or another. I’m not sure why but the update appears to have made a global change in how Microsoft names individual cookie files used by Internet Explorer.
While other browsers have individual database entries for cookies, Internet Explorer creates a file where it stores multiple cookies for a particular website. WinPatrol displays a list of each website and allows you to view the contents of the file.
Cookies created before the Windows update still have filenames which make it somewhat obvious where the cookies came from. This allows the WinPatrol Cookie Manager to remove and filter cookies based on portions of their name. At this time filtering out unwanted cookies in IE depends on the filename.
Since the update, new cookie names appear to be randomly created filenames. I’m not sure what security issue this resolves but it’s going to make it a harder to use WinPatrol to manage unwanted cookies. If this is the new Microsoft method I don’t see making any kind of change to provide a fix in the near future. The update does not affect how WinPatrol manages Firefox and Chrome cookies.
Chrome Cookies Displayed by WinPatrol
Chrome and Firefox store cookies in a SQLite database so WinPatrol is able to display the entire contents of each cookie. The recent update by Windows won’t make any changes to how we display these cookies.
I’m going to get a lot of support Email but otherwise this auto update probably won’t hurt any other Windows function. WinPatrol users will lose some functionality. I’m not sure I will have a fix coming soon but I’ll look into it.
Recommendation: Update anyway
In general, my auto update recommendation hasn’t changed. I set my Windows AutoUpdate setting to “Download updates but let me choose whether to install them”. There will be a few exception but I usually wait 7-10 days before actually installing the updates. That allows the rest of world to beta test the change. If there is a severe security fix for a threat which is known to be out in the wild, I will recommend updating immediately. Stay tuned to BitsfromBill for additional information.
In this particular case I would not wait. There are reports of threats actively at work which will allow others to execute programs remotely. This danger is far more dangerous than any cookies. Given a choice I would accept and install the update from Microsoft Windows.
Microsoft has confirmed they have decided to change how cookie files are named. http://blogs.msdn.com/b/ieinternals/archive/2011/08/12/internet-explorer-9.0.2-update-changes-file-protocol-and-cookie-naming.aspx
“We do not expect significant compatibility fallout from this change either, as the names of these files have always been somewhat dynamic. Directly enumerating or reading the Cookie files has never been supported.”
While I agree nobody at Microsoft promised to support this convention, I don’t understand how this change it related to the current threat causing remote execution of machines.
I do have a work around the changes that Microsoft has implemented. I do have other changes I’d like to release so hopefully, by the end of the month I’ll have a new release which will provides a user interface that is friendly and intuitive.