Windows 8 tells Microsoft about any installed programs



    As promised, in early August, Microsoft released for almost free download a version of Release Preview of its most controversial operating system in recent years - Windows 8. Researchers and just interested ones, including Nadim Kobeissi, who 24- On August 1, he published data that one of the poorly known Windows 8 utilities sends information about all installed Microsoft applications. Such data collection about the user can potentially result in prosecution - not only judicial, but also political, for example, in those regions where the situation is unstable.

    For some time, on one of his computers, Nadim with great pleasure used the RTM version of Windows 8, noting the excellent speed and functionality design of a representative of the popular line of operating systems. But when studying security problems, the problem that interested him was revealed.

    Windows 8 has a feature called Windows SmartScreen, which is enabled by default. This function aims to monitor all the applications that the user will try to install in order to warn about the security status of the installed program.

    The working scheme is simple: after opening the installer of any software package - for example, a browser, image editor or text editor - Windows SmartScreen collects some identification information about the application and sends data to Microsoft servers. If a response is received that the application is not signed with the necessary certificate, the user will decide whether to run the installer or ignore it. If there is no Internet connection, a warning will be displayed stating that the application cannot be validated.



    In addition to the direct problem of having the default tracking for any attempts to install programs as a violation of the privacy of actions, it is worth noting the possibility of pressure on Microsoft to provide data to government agencies and legal representatives of major copyright holders.

    The flow of information sent may also be intercepted. So you can learn what programs the user installs. Nadim noted that SmartScreen connects via HTTPS to the apprep.smartscreen.microsoft.com server, where requests are processed by the Microsoft IIS 7.5 server. The server on the Microsoft side is configured in such a way that it can accept requests encrypted with SSLv2, which, as you know



    was compromised. Encryption certificate provided by GTE CyberTrust Global Root of Microsoft Secure Server Authority; Previously, the digital certificate authority model has proven its vulnerability.

    According to Microsoft , SmartScreen sends only the hash of the installer and its digital signature (if any). However, knowing the external IP address is enough to establish, if necessary, that a certain person tried to install a specific program. Another researcher studied the chronicles of Nadim's panic and found that the file name was also sent.

    0U2FtZUdhbWUuZXhld3ff5939726c9f8fa6e514fb65eb470a1f9ec7a65b2706732
    a03749226c252004505611000F98AD9C-D498-42B3-B421-E6C97A8E61E7B68802CA-B396-4773-8FD9-EEECA4DE65D9ZW4tVVM=6.2.9200.0.0OS4xMC45MjAwLjE2Mzg010.00.9200.163842


    Here, FName is the base64 encoded name of the program installer, and FHash is its SHA-256 hash.

    SmartScreen is not so easy to turn off, and the system will periodically ask the user to turn it back on.



    To disable the SmartScreen filter, go to the System and Security section in the control panel, select the Action Center option and rewind the list to Windows SmartScreen.









    Theoretically, Redmond could start collecting a database of time, installed applications, and IP addresses. Nevertheless, it’s hard to expect from such a clumsy log collection giant: Microsoft has repeatedly shown its amazing softness, for example, passing the name Metro without a fight. For years, the company continues to deliver updates to the operating system even to users of unlicensed copies, weakly pushing them to upgrade to legal status, and disabling SmartScreen as a useful function of the malware filter should not be considered mandatory.

    Also popular now: