A security researcher Nadim Kobeissi, recently discovered a potential privacy violation in Windows 8's SmartScreen system, which screens every single application that a user install against a database of known dodgy code and in return informs the user whether it's to proceed with installing it or not.
Furthermore, Kobsissi said that SmartScreen uses an "outdated and insecure" security system that could allow a hacker to intercept that data.
So, what's the big deal, doesn't this help users from getting rogue application -- Yes! indedd its is, but the big problem lies the way "SmartScreen" is configured -- is "to immediately tell Microsoft about every app you download and install," Kobsissi wrote.
To make matters worse, "the install logs are sent to Microsoft and can be snooped by third-parties, the researcher claims, since the mechanism supports the SSLv2 protocol which is known to be breakable." While it's possible to turn off SmartScreen, it's not easy, and the OS will remind you periodically to turn it back on.
"This problem can however get even more serious: It may be possible to intercept SmartScreen's communications to Microsoft and thus learn about every single application downloaded and installed by a target," he said.
Microsoft responding to Kobeissi's findings claims that his analysis of about privacy violation in Windows 8's SmartScreen system are inaccurate stating:
"We can confirm that we are not building a historical database of program and user IP data," a spokesperson told El Reg. "Like all online services, IP addresses are necessary to connect to our service, but we periodically delete them from our logs. As our privacy statements indicate, we take steps to protect our users' privacy on the backend. We don't use this data to identify, contact or target advertising to our users and we don't share it with third parties," The Register reports.
As for concerns over the leakage of material via SSLv2.0, "the SmartScreen communications to Microsoft are using a server based on SSLv2.0, which are "known to be insecure and susceptible to interception," Kobeissi wrote. Microsoft said that "it will not use this protocol with Windows 8 and that SmartScreen does not support that version.""
He notes that approximately 14 hours after, his post, another scan of Microsoft's SmartScreen servers reveals that they have been reconfigured to no longer support SSLv2. The servers now only support SSLv3 connections.
Countering Microsoft's statement that SmartScreen sends a hash of the app installer and its digital signature, if any. "A combination of the hash and the user's IP address is still enough to identify that IP address x attempted to install software," he said.
And, that another researcher has discovered that a filename of the app you're trying to install is indeed sent to Microsoft. This severely strengthens privacy concerns.
Here's how SmartScreen works:
- "You download any application from the Internet.
- You open the installer. Windows SmartScreen gathers some identifying information about your application, and sends the data to Microsoft.
- If Microsoft replies saying that the application is not signed with a proper certificate, the user gets an error that looks something like this," explains Kobeissi.
In other Windows 8 news, Windows 8 compatibility logo from MSDN leaked today seems to be the final version for the RTM platform. The image below now show TeamViewer's logo.
The benefits of certify hardware for Windows 8, include:
- Your product qualified to use "Windows 8 Compatible" artwork to distinguish your product
- You choose the logo artwork for your product packaging from the design options provided
- Your product listed as "Certified" on the Windows 8 Compatibility Center
- Your product listed as "Compatible" in theWindows 8 setup compatibility report
- Your updated drivers distributed on Windows Update
- Access to marketing assets and training as part of the Microsoft Partner Network
- Increased customers confidence in thequality of your product with Windows
- Opportunity to partner with Windows on the upcoming release of Windows 8
In a Dev Center page, Microsoft gave the go-ahead to companies to place the Windows 8/RT compatibility logos on the "physical packages," and also said, the logos cann't be used online, for point-of-sale marketing or in print advertisements until September 1.
"You may change its size, as long as the minimum width is 12.7 mm. The logo may not be altered in any other manner, including proportions, colors, visual elements, and any other way. The logo may not be animated, morphed, or otherwise distorted in perspective or dimensional appearance," Microsoft stated.
Wrapping up, with following tidbits around Microsoft products related news,
First up, Windows Phone 8 SDK might be released on September 7th -- "the date of Visual Studio 2012 virtual launch event."
Microsoft's Channel9 posted a few new videos for the developer inside you include:
In this video, Michael Washam demonstrates a variety of tips and tricks for Windows Azure IaaS scenarios. He shows how to configure a site-to-site virtual network using Windows Azure Virtual Networks and a Cisco ASA 5505.
Additionally, he shows how to setup a web farm with content synchronization using Windows Azure Virtual Machines and Web Deploy.
Finally, you will see how to use the connect button in the Windows Azure management portal to remote desktop into a Linux virtual machine.
In this video, Anton Babadjanov, Program Manager of the Windows Azure SDK for PHP show how to create a simple task list application that interacts with Windows Azure Storage using the Windows Azure SDK for PHP.
Finally, to help localize your Windows 8 apps, Microsoft offering set of free tools that integrates into Visual Studio 2012, including the Express for Windows 8 edition.
The tools set dubbed "Multilingual App Toolkit for Visual Studio 2012," is an extension that enables translation support through tools and guides by focusing on the following areas:
- "Integration with Visual Studio IDE enables you to add and manage translation files to a project solution using standard Visual Studio menus and dialogs.
- Pseudo language engine gives you 'in house' testing of localized apps by identifying translation issues during development such as hardcoded, concatenated, or truncated strings and other visual issues that arise when working with languages. Pseudo translations are stored in the localization industry standard XLIFF file format and can be edited just like any other language translation. This gives you granular control over pseudo translation testing.
- Translation file export & import roundtrip provides you with the ability to send and receive resources in XLIFF files to friends, family, or a translator services for review.
- XLIFF lightweight editor provides a lightweight localization UI for editing translated strings. Get translation suggestions quickly by using the integrated Microsoft Translator (requires active Internet connection). It also allows you to quickly edit data stored in XLIFF files by adjusting pseudo and/or actual translations," Microsoft explained.
In this episode, you will find some frequently asked questions regarding Windows Server 2012 Licensing and Pricing. More specifically you will find the key differences between standard and datacenter editions, its key features, the software assurance program and price.