Windows 8 contains a significant privacy flaw, insecurely telling Microsoft about every program you run, according to student and developer Nadim Kobeissi whose assessment fails to grasp some key technical details.

Kobeissi, who has made a name for himself with his controversial browser-based secure chat service Cryptocat, says that the flaw lies in Windows 8's SmartScreen feature. The first time you run any downloaded executable on Windows 8, the operating system sends information about that application to Microsoft. Kebeissi says that this information is sufficient to identify the application you're running, and that Microsoft could combine this with IP address information to know who was running what.

Further, Kobeissi says that the server Microsoft sends the information to supports the SSLv2 protocol, which is known to be insecure.

Microsoft's SmartScreen service was first introduced in Internet Explorer 8, as an extension of Internet Explorer 7's phishing filter. When SmartScreen is being used (which is most of the time; it is enabled by default), Internet Explorer sends every URL being visited to Microsoft's SmartScreen servers. If the servers recognize the URL as being malicious, Internet Explorer will display a warning message about the URL and impede access to it.

Google operates a similar blacklist service, offering both an online URL checker, used by Chrome, and an offline downloadable blacklist, used by Firefox and Safari.

Windows 8 extends the SmartScreen system to cover not just the URLs visited in the browser, but also files downloaded by the browser. Whenever Internet Explorer saves a file to disk, it adds information called a Zone Identifier to the file that indicates whether the file came from the Internet, the local intranet, a trusted site, or elsewhere. HTML files are additionally given the Mark of the Web to denote their origin. Third-party browsers such as Chrome do the same.

In Windows 7, running an executable that has a Zone Identifier, but which lacks a trusted digital signature, yields a generic warning message to say that the program's safety can't be vouched for. Removing the Zone Identifier prevents the warning from recurring.

In Windows 8, instead of merely showing a generic warning, the operating system does a SmartScreen check on the downloaded file. Because this is a file on a hard disk rather than a URL, Windows doesn't have a URL to send. Instead, as described by Rafael Rivera, it sends the file's name and a hash (and kind of cryptographic "fingerprint") of the file's contents.

The operating system then displays a warning if the file is known to be malicious.

The privacy risk that Kobeissi claims is twofold. First, Microsoft could store the executable and IP address information of every request made. This would allow the company to make some estimates of which IP addresses were running which software.

Second, due to the apparent support of the vulnerable SSLv2 protocol, a hostile party could eavesdrop on the connection and build a similar database cross-referencing IP addresses with executables.

However, calling this a significant security risk seems more than a little unwarranted.

There are some technical problems with Kobeissi's complaint. Although he says that the server supports SSLv2, that's only part of the story. Windows clients using the operating system's built-in SSL capabilities don't, by default, support SSLv2. They support SSLv3 and TLS 1.0, neither of which is vulnerable to the same eavesdropping attacks that SSLv2 is susceptible to. A comment on Kobeissi's blog states that, in practice, the connection uses TLS 1.0. While TLS 1.0 does have some flaws when used in other contexts, it rules out trivial eavesdropping by malicious third parties.

Update: Microsoft has disabled SSLv2 support from its servers, and Kobeissi has updated his blog post accordingly.

This still means that Microsoft could determine which programs individual IP addresses are using. There would be some implementation issues to address first, however. Microsoft only receives the executable name and its hash. Sometimes the executable name is useful, containing the software name and version information, but a lot of the time it will be simply "setup.exe" (unfortunately, as it's very annoying if you ever want to find the installer for a program after you've downloaded it).

This leaves the hashes. Microsoft likely doesn't have a mapping from file hashes to actual executables, so it can't immediately tell which hash corresponds to which actual executable, but it could, in principle, trawl the Web looking for executables and computing their hashes. With this, the company could know that a particular IP address was running a particular program, or at least its installer.

If Microsoft cross-referenced this with other information it collects, such as Microsoft Account information, it could possibly even associate names with executables.

When asked for comment, a Microsoft spokeswoman told us:

We can confirm that we are not building a historical database of program and user IP data. Like all online services, IP addresses are necessary to connect to our service, but we periodically delete them from our logs. As our privacy statements indicate, we take steps to protect our users’ privacy on the backend. We don’t use this data to identify, contact or target advertising to our users and we don’t share it with third parties. With respect to the claims of SSL security and data interception risk posed by the SSL2.0 protocol, by default Windows 8 will not use this protocol with our service. Windows SmartScreen does not use the SSL2.0 protocol.

The company has also talked in the past about the privacy implications of earlier iterations of SmartScreen. Although Microsoft does collect some data (for example, it distinguishes between popular downloads and unpopular downloads, as part of its application reputation feature), that same data is also anonymized.

As such, the privacy risk here is minimal.

Additionally, one can opt out of SmartScreen entirely; it's an optional feature. The filtering is turned on by default (which we'd argue makes sense, as there is a proven practical need to protect mainstream users against malware), but Windows 8's initial setup both specifies that this kind of protection is performed (the second bullet in the list), and offers the ability, via the custom setup route, to disable it. It can also be disabled after installation through the settings dialog in Explorer.

But fretting about SmartScreen is missing a rather larger point. Windows 8 includes within it a store. So does Windows RT, the ARM version of Windows 8. All third-party applications that use the Metro environment must be installed via the store, and for Windows RT, every third-party application must use the Metro environment. Microsoft will be collecting information about these downloads and purchases, and no doubt creating top ten lists from it.

Every time an application is downloaded or purchased from the Windows Store, Microsoft is explicitly, overtly, and necessarily informed of the download. These downloads are automatically associated with Microsoft Accounts, too, meaning that they can be paired not merely with an IP address, but with an e-mail address and, in many cases, a name and billing information.

To decry SmartScreen as a privacy risk is missing the far greater privacy risk; a privacy risk shared by every platform that has this kind of integrated store system.

Listing image by Microsoft