Windows 8, for those of you who don’t know, relies on something called SmartScreen Application Reputation to identify and warn users of potentially dangerous desktop apps. According to Microsoft, the operating system uses SmartScreen, which was previously restricted to Internet Explorer, to conduct “an application reputation check the first time you launch applications that come from the Internet.” With SmartScreen providing an additional layer of security to Windows 8 users, they will have a lot less to worry about, right? Wrong, according to Canadian security researcher Nadim Kobeissi, who has a serious issue with the way the feature works.
“Windows SmartScreen’s purpose is to ‘screen’ every single application you try to install from the Internet in order to inform you whether it’s safe to proceed with installing it or not,” Kobeissi wrote in a blog post Friday. “There are a few serious problems here. The big problem is that Windows 8 is configured to immediately tell Microsoft about every app you download and install.”
Kobeissi, otherwise highly impressed with Windows 8, is especially concerned about the potential of SmartScreen data being vulnerable to “judicial subpoenas or National Security Letters intended to monitor targeted users.” Having also discovered that the data was being relayed to a Redmond-based server configured to support SSL 2.0, he warned about the potential of this information being intercepted. However, he now claims that the alarm he raised was enough to force Microsoft into switching its SmartScreen servers to SSL 3.0. As per Kobeissi, the change occurred within 14 hours of his article being published.
Besides switching to SSLv3, Microsoft has done one more thing. It has issued a statement to allay such concerns: “We can confirm that we are not building a historical database of program and user IP data,” a spokesperson for the company said. “Like all online services, IP addresses are necessary to connect to our service, but we periodically delete them from our logs. As our privacy statements indicate, we take steps to protect our users’ privacy on the backend. We don’t use this data to identify, contact or target advertising to our users and we don’t share it with third parties.”
“With respect to the claims of SSL security and data interception risk posed by the SSL2.0 protocol, by default Windows 8 will not use this protocol with our service. Windows SmartScreen does not use the SSL2.0 protocol.”
But the question remains: Can Microsoft keep a tab on the apps you install? Even though the answer is yes, according to Windows hacker Rafael Rivera, he feels it’s expecting far too much from a company “that’s scared to fart in fear of litigation. (They won’t even defend their Metro design language naming for crying out loud.)”