Skip to main content

Windows 8 Lets Microsoft Know What You’ve Installed, and It Isn’t Very Secure

The closer we get to the October 26 release date of Windows 8, the more disappointing news about the new operating system we receive. We’ve learned that Windows 8 forces you into the tablet-style UI and doesn’t boot straight to desktop, and that the operating system requires users to enter a product key to install it, something previous versions of the operating system didn’t force users to do. Now, developer Nadim Kobeissi has found that Windows 8 tells Microsoft about everything you install, and doesn’t even do it too securely.

Using the recent RTM build of Windows 8, Kobeissi found something odd with Windows SmartScreen, an application that, turned on by default, screens everything one installs from the Internet in order to tell the user if it’s safe or not. When you tell Windows 8 to download something, it gathers information about the application, then sends the data off to Microsoft. Microsoft (obviously automated) checks out the credentials, then lets you know whether or not the application is signed with an official certificate. Pretty standard stuff. However, Kobeissi finds that Windows 8 is “configured to immediately tell Microsoft about every app you download and install.”

Kobeissi finds that the information being delivered to Microsoft isn’t exactly secure:

After running some tests on this Microsoft server, I discovered that it ran Microsoft IIS 7.5 to handle its HTTPS connections. The Microsoft server is configured to support SSLv2 which is known to be insecure and susceptible to interception. The SSL Certificate Authority chain goes down from “GTE CyberTrust Global Root” to “Microsoft Secure Server Authority.” The Certificate Authority model is itself susceptible to some serious problems.

He also notes that turning off SmartScreen isn’t exactly an easy process, and once it’s off, Windows will bug you to turn it back on. He also notes that, since Microsoft will be made aware of every single application installed by a user, it puts Microsoft in a weird situation where they can obtain all application usage information from all of their users. Kobeissi also updated his findings noting that SmartScreen isn’t the worst kind of privacy breach or anything, but the information sent to Microsoft is easily enough for a knowledgeable ne’er-do-well to find out what anyone using Windows 8 has installed on their computer.

So, though this isn’t great news, SmartScreen can be disabled, and if you’re concerned about your computer’s privacy, it probably should be.

(via Nadim Kobeissi)

Relevant to your interests

Have a tip we should know? [email protected]

Filed Under:

Follow The Mary Sue: