Playing around with the manufacturers' version of the not-yet-widely released Windows 8, programmer (and hacker) Nadim Kobeissi discovered that the operating system "tells Microsoft about everything you install" and does that "not very securely." Basically, the new Windows has this program called SmartScreen that's designed to protect users but instead gives Windows (and possible hackers) access to a lot of information. Here's the crux of the issue from Kobeissi's blog:
- Windows 8 will, by default, inform Microsoft of every app downloaded and installed by every user. This puts Microsoft in a compromising, omniscient situation where they are capable of retaining information on the application usage of all Windows 8 users, thus posing a serious privacy concern. The user is not informed of this while installing and setting up Windows 8, even though they are given the option to disable SmartScreen (which is enabled by default.)
- Windows 8 appears to send this information to Microsoft to a server that relies on Certificate Authorities for authentication and supports an outdated and insecure method of encrypted communication. It is possible that these insecurities could allow a malicious third party to target a Windows 8 user and learn which applications they are using. This allows them to profile the user and decide how to best exploit their personal selection of applications and their computing habits.
As commenters on his post note, Apple also knows this kind of information when we download apps in its marketplace. That doesn't make Microsoft's move right, though. And from the sound of it, it looks like Microsoft knows more detailed information than what Apple does. The other difference between Apple and Microsoft is that Microsoft can still fix some of the security issues outlined by Kobeissi, as he only played around with the manufacturers' version. The consumer version is due for release on October 26.
This article is from the archive of our partner The Wire.
We want to hear what you think about this article. Submit a letter to the editor or write to email@example.com.