__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Center
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Office XP Error Reporting May Send Sensitive Documents to Microsoft
October 15, 2001 20:00 GMT Number M-005
Revised: October 16, 2001, 1900 GMT
Revised: October 18, 2001, 1900 GMT
______________________________________________________________________________
PROBLEM: Microsoft Office XP and Internet Explorer version 5 and later
are configured to automatically send debugging information to
Microsoft in the event of a program crash. The debugging
information includes a memory dump which may contain all or
part of the document being viewed or edited. This debug message
potentially could contain sensitive, private information.
PLATFORM: Microsoft Office XP
Microsoft Internet Explorer 5.0 and later
Microsoft Windows XP
Microsoft has indicated that this will be a feature of all new
Microsoft products.
DAMAGE: Sensitive or private information could inadvertently be sent to
Microsoft. Some simple testing of the feature found document
information in one message out of three.
SOLUTION: Apply the registry changes listed in this bulletin to disable
the automatic sending of debugging information. If you are
working with sensitive information and a program asks to send
debugging information to Microsoft, you should click No.
______________________________________________________________________________
VULNERABILITY The risk is MEDIUM/LOW. Sensitive documents could be sent to
ASSESSMENT: Microsoft.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-005.shtml
PATCHES: Office XP:
http://www.ciac.org/ciac/bulletins/office/UnWatsonXP.reg
IE:
http://www.ciac.org/ciac/bulletins/office/UnWatsonIE6.reg
______________________________________________________________________________
[Revision 10/16/01 Emphasize debug dialog box]
[Revision 10/17/01 Removed erroneous key, IEWatsonDisabled, from reg file]
[Revision 10/18/01 Added links to Microsoft pages]
Microsoft's Error Reporting Can Send Your Data Across the Internet
Office XP, Internet Explorer (version 5 and higher), and Windows XP use a
feature called Error Reporting to send crash and debug information back to
Microsoft to help them detect and fix bugs in their software. Unfortunately,
Error Reporting can send portions of the document or web site you are viewing
along with this debugging information. The error reporting feature and the data
it collects is described in the following pages on the Microsoft website.
http://www.microsoft.com/office/ork/xp/two/admA05.htm
http://watson.microsoft.com/dw/1033/dcp.asp
Error reporting in Internet Explorer is discussed on the following pages.
Note that the name of the registry key to change is wrong in this article.
The key is IEWatsonEnabled and should be set to 0 to disable Error Reporting.
http://support.microsoft.com/support/kb/articles/Q276/5/50.ASP
When error reporting activates after a crash, it displays a dialog box that
asks to send debugging information to Microsoft. The information sent to
Microsoft includes a copy of the block of memory where the program was
running when it crashed. It is not evident from the dialog box that the
contents of the document being edited may be in that memory block. If the
document you are viewing or editing in any way could be considered
sensitive you should answer Don't Send to this request.
This bulletin contains instructions for disabling Error Reporting in both
Internet Explorer and Office XP on all versions of Windows. (At this time,
Error Reporting is not available, and does not need to be disabled, on
Macintosh computers.)
Office XP
=========
To disable Error Reporting in Office XP (on any version of Windows), use the
Registry script below. Double clicking on a .REG file runs Regedit and makes
the changes in the file. The script disables Error Reporting for the current
user only, and so must be run by each user of a system. (New users created
after the script is run will have the changes made for them, and do not need
to re-run the script.)
Registry Script UnWatsonXP.reg
------------------------------
REGEDIT4
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\10.0\Common]
"DWNeverUpload"=dword:00000001
"DWNoExternalURL"=dword:00000001
"DWNoFileCollection"=dword:00000001
"DWNoSecondLevelCollection"=dword:00000001
[HKEY_USERS\.Default\Software\Policies\Microsoft\Office\10.0\Common]
"DWNeverUpload"=dword:00000001
"DWNoExternalURL"=dword:00000001
"DWNoFileCollection"=dword:00000001
"DWNoSecondLevelCollection"=dword:00000001
Only administrators have access to the Registry. If you receive an error when
trying to run this script, contact your administrator or local support group.
Internet Explorer 5.x
=====================
Disabling Error Reporting in Internet Explorer varies depending on which
version of IE you are using. For Internet Explorer 5.x, remove Internet
Explorer Error Reporting using the Control Panel:
1. Click Start, point to Settings, and then click Control Panel.
2. Double-click Add/Remove Programs.
3. In the list of installed programs, click Internet Explorer Error Reporting,
and then click Add/Remove (Windows 98, Me, NT 4) or Remove (Windows 2000).
4. Click OK.
Internet Explorer 6 on Windows 2000 and Earlier
===============================================
For Internet Explorer 6 on Windows 2000 and earlier, use the Registry script
below to disable Error Reporting.
Registry Script UnWatsonIE6.reg
-------------------------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"IEWatsonDisabled"=dword:00000001
"IEWatsonEnabled"=dword:00000000
Only administators have access to the Registry. If you receive an error when
trying to run this script, contact your administrator or local support group.
Internet Explorer 6 on Windows XP
=================================
To disable Error Reporting in Internet Explorer 6 running on Windows XP:
1. Click Start, and then click Control Panel (or point to Settings, and
then click Control Panel).
2. Double-click System (or click "Switch to Classic View", and then
double-click System).
3. Click the Advanced tab, and then click Error Reporting.
4. Click "Disable error reporting" to disable both user and kernel-mode error
reporting, or click to clear the Programs check box.
5. Click OK, then click OK again.
Administrators can disable error reporting in Windows XP Professional by
setting Report Errors to Disabled in Group Policy Editor (Gpedit.msc) in
the Computer Configuration\Administrative Templates\System\Error Reporting
folder.
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Systems and Network Department
help desk at the Lawrence Livermore National Laboratory for the information
contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
L-139: Microsoft IIS "%u encoding IDS bypass vulnerability"
L-140: Gauntlet Firewall CSMAP and smap/smapd Buffer Overflow Vulnerability
L-141: RSA BSAFE SSL-J 3.x Vulnerability
L-142: RPC Endpoint Mapper Vulnerability
L-143: HP libsecurity Vulnerability
L-144: The W32.nimda Worm
M-001: Cisco Secure IDS Signature Obfuscation Vulnerability
M-002: Multi-Vendor format String Vulnerability in ToolTalk Service
M-003: Hewlett-Packard rpcbind Security Vulnerability
M-004: Excel and PowerPoint Macro Vulnerability
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
