TUCoPS :: Windows Apps :: ciacm005.txt

CIAC M-005 office xp error reporting sends sensitive docs txt.011018140545


             __________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

      Office XP Error Reporting May Send Sensitive Documents to Microsoft

October 15, 2001 20:00 GMT                                        Number M-005
Revised: October 16, 2001, 1900 GMT 
Revised: October 18, 2001, 1900 GMT
______________________________________________________________________________
PROBLEM:       Microsoft Office XP and Internet Explorer version 5 and later 
               are configured to automatically send debugging information to 
               Microsoft in the event of a program crash. The debugging 
               information includes a memory dump which may contain all or 
               part of the document being viewed or edited. This debug message 
               potentially could contain sensitive, private information. 
PLATFORM:      Microsoft Office XP 
               Microsoft Internet Explorer 5.0 and later 
               Microsoft Windows XP
               Microsoft has indicated that this will be a feature of all new 
               Microsoft products. 
DAMAGE:        Sensitive or private information could inadvertently be sent to 
               Microsoft. Some simple testing of the feature found document 
               information in one message out of three. 
SOLUTION:      Apply the registry changes listed in this bulletin to disable 
               the automatic sending of debugging information. If you are 
               working with sensitive information and a program asks to send 
               debugging information to Microsoft, you should click No. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM/LOW. Sensitive documents could be sent to 
ASSESSMENT:    Microsoft. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/m-005.shtml 
 PATCHES:            Office XP: 
                     http://www.ciac.org/ciac/bulletins/office/UnWatsonXP.reg 
                     IE: 
                     http://www.ciac.org/ciac/bulletins/office/UnWatsonIE6.reg 
______________________________________________________________________________

[Revision 10/16/01 Emphasize debug dialog box]
[Revision 10/17/01 Removed erroneous key, IEWatsonDisabled, from reg file] 
[Revision 10/18/01 Added links to Microsoft pages]

Microsoft's Error Reporting Can Send Your Data Across the Internet

Office XP, Internet Explorer (version 5 and higher), and Windows XP use a 
feature called Error Reporting to send crash and debug information back to 
Microsoft to help them detect and fix bugs in their software. Unfortunately, 
Error Reporting can send portions of the document or web site you are viewing 
along with this debugging information. The error reporting feature and the data 
it collects is described in the following pages on the Microsoft website. 

    http://www.microsoft.com/office/ork/xp/two/admA05.htm
    http://watson.microsoft.com/dw/1033/dcp.asp

Error reporting in Internet Explorer is discussed on the following pages. 
Note that the name of the registry key to change is wrong in this article. 
The key is IEWatsonEnabled and should be set to 0 to disable Error Reporting. 

    http://support.microsoft.com/support/kb/articles/Q276/5/50.ASP

When error reporting activates after a crash, it displays a dialog box that 
asks to send debugging information to Microsoft. The information sent to 
Microsoft includes a copy of the block of memory where the program was 
running when it crashed. It is not evident from the dialog box that the 
contents of the document being edited may be in that memory block. If the 
document you are viewing or editing in any way could be considered 
sensitive you should answer Don't Send to this request.  


This bulletin contains instructions for disabling Error Reporting in both 
Internet Explorer and Office XP on all versions of Windows. (At this time, 
Error Reporting is not available, and does not need to be disabled, on 
Macintosh computers.)

Office XP
=========

To disable Error Reporting in Office XP (on any version of Windows), use the 
Registry script below. Double clicking on a .REG file runs Regedit and makes 
the changes in the file. The script disables Error Reporting for the current 
user only, and so must be run by each user of a system. (New users created 
after the script is run will have the changes made for them, and do not need 
to re-run the script.)

Registry Script UnWatsonXP.reg 
------------------------------

  REGEDIT4

  [HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\10.0\Common]
  "DWNeverUpload"=dword:00000001
  "DWNoExternalURL"=dword:00000001
  "DWNoFileCollection"=dword:00000001
  "DWNoSecondLevelCollection"=dword:00000001

  [HKEY_USERS\.Default\Software\Policies\Microsoft\Office\10.0\Common]
  "DWNeverUpload"=dword:00000001
  "DWNoExternalURL"=dword:00000001
  "DWNoFileCollection"=dword:00000001
  "DWNoSecondLevelCollection"=dword:00000001

Only administrators have access to the Registry. If you receive an error when 
trying to run this script, contact your administrator or local support group.

Internet Explorer 5.x
=====================

Disabling Error Reporting in Internet Explorer varies depending on which 
version of IE you are using. For Internet Explorer 5.x, remove Internet 
Explorer Error Reporting using the Control Panel:

  1. Click Start, point to Settings, and then click Control Panel.
  2. Double-click Add/Remove Programs.
  3. In the list of installed programs, click Internet Explorer Error Reporting, 
     and then click Add/Remove (Windows 98, Me, NT 4) or Remove (Windows 2000).
  4. Click OK.

Internet Explorer 6 on Windows 2000 and Earlier
===============================================

For Internet Explorer 6 on Windows 2000 and earlier, use the Registry script 
below to disable Error Reporting.

Registry Script UnWatsonIE6.reg
-------------------------------

  REGEDIT4

  [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
  "IEWatsonDisabled"=dword:00000001
  "IEWatsonEnabled"=dword:00000000

Only administators have access to the Registry. If you receive an error when 
trying to run this script, contact your administrator or local support group.

Internet Explorer 6 on Windows XP
=================================

To disable Error Reporting in Internet Explorer 6 running on Windows XP:

  1. Click Start, and then click Control Panel (or point to Settings, and 
     then click Control Panel).
  2. Double-click System (or click "Switch to Classic View", and then 
     double-click System).
  3. Click the Advanced tab, and then click Error Reporting.
  4. Click "Disable error reporting" to disable both user and kernel-mode error 
     reporting, or click to clear the Programs check box.
  5. Click OK, then click OK again.

Administrators can disable error reporting in Windows XP Professional by 
setting Report Errors to Disabled in Group Policy Editor (Gpedit.msc) in 
the Computer Configuration\Administrative Templates\System\Error Reporting 
folder.
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Systems and Network Department 
help desk at the Lawrence Livermore National Laboratory for the information 
contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

L-139: Microsoft IIS "%u encoding IDS bypass vulnerability" 
L-140: Gauntlet Firewall CSMAP and smap/smapd Buffer Overflow Vulnerability 
L-141: RSA BSAFE SSL-J 3.x Vulnerability
L-142: RPC Endpoint Mapper Vulnerability 
L-143: HP libsecurity Vulnerability
L-144: The W32.nimda Worm
M-001: Cisco Secure IDS Signature Obfuscation Vulnerability
M-002: Multi-Vendor format String Vulnerability in ToolTalk Service
M-003: Hewlett-Packard rpcbind Security Vulnerability
M-004: Excel and PowerPoint Macro Vulnerability


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH