comScore
Uncategorized Friday, August 24th 2012 at 9:45 am

Windows 8 Lets Microsoft Know What You’ve Installed, and It Isn’t Very Secure

By ( ) Comments

The closer we get to the October 26 release date of Windows 8, the more disappointing news about the new operating system we receive. We’ve learned that Windows 8 forces you into the tablet-style UI and doesn’t boot straight to desktop, and that the operating system requires users to enter a product key to install it, something previous versions of the operating system didn’t force users to do. Now, developer Nadim Kobeissi has found that Windows 8 tells Microsoft about everything you install, and doesn’t even do it too securely.

Using the recent RTM build of Windows 8, Kobeissi found something odd with Windows SmartScreen, an application that, turned on by default, screens everything one installs from the Internet in order to tell the user if it’s safe or not. When you tell Windows 8 to download something, it gathers information about the application, then sends the data off to Microsoft. Microsoft (obviously automated) checks out the credentials, then lets you know whether or not the application is signed with an official certificate. Pretty standard stuff. However, Kobeissi finds that Windows 8 is “configured to immediately tell Microsoft about every app you download and install.”

Kobeissi finds that the information being delivered to Microsoft isn’t exactly secure:

After running some tests on this Microsoft server, I discovered that it ran Microsoft IIS 7.5 to handle its HTTPS connections. The Microsoft server is configured to support SSLv2 which is known to be insecure and susceptible to interception. The SSL Certificate Authority chain goes down from “GTE CyberTrust Global Root” to “Microsoft Secure Server Authority.” The Certificate Authority model is itself susceptible to some serious problems.

He also notes that turning off SmartScreen isn’t exactly an easy process, and once it’s off, Windows will bug you to turn it back on. He also notes that, since Microsoft will be made aware of every single application installed by a user, it puts Microsoft in a weird situation where they can obtain all application usage information from all of their users. Kobeissi also updated his findings noting that SmartScreen isn’t the worst kind of privacy breach or anything, but the information sent to Microsoft is easily enough for a knowledgeable ne’er-do-well to find out what anyone using Windows 8 has installed on their computer.

So, though this isn’t great news, SmartScreen can be disabled, and if you’re concerned about your computer’s privacy, it probably should be.

(via Nadim Kobeissi)

Relevant to your interests

Filed Under |
  • Kalthian

    Well, as if I didn’t when I heard about the tablet UI thing, now I am DEFINITELY not going to change to 8. I will probably just treat it like Vista and wait for 9 or whatever the next iteration of windows will be, hopefully less retarded.

  • Dr Coene

    Looks like Windows 8 is the next skipable Microsoft OS.

    And Windows 7 is the new XP.

  • Dr Coene

    Exactly what I’m doing.

    I rather like Windows 7.

  • http://www.facebook.com/HappyFuel Rhys Nottellin

    Read “Windows (blah blah blah) Isn’t Very Secure” and that’s all I needed from this article. You don’t say?

  • Dr Coene

     I’ve never had a problem with Windows 7 or Windows XP.

  • http://profile.yahoo.com/L7B4UAFFIJJALJW267GDPIB5F4 Joey

    Why can’t they just make 7 louder?

  • Corey

    Just more FUD. Apple and Android does the same.

  • Filip Dupanović

    The serious flaw of this article is that the actual content that’s being transmitted hasn’t been investigated. For all I could care to think, it could be a fix-sized bit string that’s devised to have optimal computation and data transmission requirements to minimize resource consumption on battery powered devices. A minimal fix-sized bit string, mind you, that’s simply a connotation to something that doesn’t even contain any back-references to you.

    This beats manually to computing the checksum and obtaining a comparison key. And seriously, how many people do even do that
    when they manually retrieve something? And even then, what makes you so
    sure that the HTTP resource you retrieved is providing the real key?

    I mean, you communicated with a torrent tracker over a traceable, insecure transmission and suddenly your worried about the operating system that intelligently identifies content retrieved from external devices and other sources is performing a signature check on that Razor Foo game setup file? Get a life.

  • Dx4me

    why would u fix something that is not broken?? windows 7 is good in all measures (At least for me as a user) I dont need another version of windows … just boost the 7 .. its a success … the tablet UI is defiantly the reason am not switching to 8.. 

  • http://www.facebook.com/profile.php?id=100002348492548 Ernest TheGhost Buffington

    Windows 8 has a few good features, apart from the idea that some idiot wanted to turn our PC into an over sized cell phone. This poor choice will cost Microsoft Billions. Someone wet behind the ears made this choice and then had a table full of half wits vote it in. I’m switching to Apple tomorrow. Bill gates just does not care anymore and now neither do I.