Feeds

Win-XP Search Assistant silently downloads files

Trustworthy computing?

  • alert
  • submit to reddit

3 Big data security analytics techniques

Just over a week ago, while searching for a file on a Windows-XP machine, I was surprised to see the Search Assistant attempting to activate my Internet connection. It puzzled me because I wasn't searching the Internet, only my local drive. I was busy with other things at the time, but I made a mental note to look into it soon, which I promptly forgot to do.

This morning, Reg reader Jody Melbourne rattled my cage, fresh from having made the same discovery. He'd noticed that the Assistant was establishing a connection with a machine at Microsoft.

"I did not give Microsoft permission to know what files I am searching for on my local hard-drive," Jody wrote.

Indeed, and neither had I. So I connected an XP box to my ISP, started a packet sniffer, and launched the Search Assistant. Sure enough, it immediately connected to http://sa.windows.com/ and fetched a number of files. But it didn't attempt to send any data to the site, beyond comparing my locally-stored versions of those files to the ones on the server.

But when I performed an Internet search, the Assistant sent my search terms to the Microsoft site, and also dropped a session cookie on my machine.

Phoning home?
One of the files the Assistant fetches is the MS Search Companion privacy statement. This is done for P3P compliance. According to the statement, MS doesn't collect information about local searches. "No information is ever collected by Search Companion when you search your local system, LAN, or intranet for any reason."

I certainly didn't pick up anything to contradict that. But there is some obvious collecting when SA is used to search the Internet.

"When you search the Internet using the Search Companion, the following information is collected regarding your use of the service: your IP address, the text of your Internet search query, grammatical information about the query, the list of tasks which the Search Companion Web service recommends, and any tasks you select from the recommendation list."

"Search Companion does not record your choice of Internet search engine, and does not collect or request any personal or demographic information. Information collected by the Search Companion cannot be used to identify you individually, and is never used in conjunction with other data sources that may contain personal data."

Hopefully there aren't too many loopholes in that, though I rather think the user's IP can be considered personally identifying. However, MS tells us that the policy statement is out of date. IPs were logged for testing purposes during the XP beta period; but since the product launch, there has been no IP logging.

In addition to the privacy statement, the remaining files fetched are XSL (Extensible Stylesheet Language) stylesheets:
transform.xsl
balloon.xsl
prevectr.xsl
vector.xsl
boolean.xsl
pretrans.xsl
transform.xsl

Users curious to know exactly what they contain can quite easily locate them on their local machine and have a peek. According to MS, they're simply used to maintain up-to-date associations between file extensions and file types, to make searching more productive.

I'm not acquainted with XSL, so I'm in no position to affirm that or to argue with it, but I'd be pleased to hear from readers who can shed additional light on the subject.

For now it appears that there's nothing here for users to worry about. But there is a question about MS playing fast and loose with people's Internet connections. Certainly, the minute one ventures onto the Web, one starts bleeding information all over the place, fetching images and ads and taking cookies from secondary and tertiary sources too numerous to mention.

But when we run an application for some local business like a file search, we don't expect it to connect silently to the Net, even for a good reason. When we discover something like this, it feels like someone else is in control of our computer, and that is definitely not a good feeling.

If Trustworthy Computing is going to mean anything, it's going to have to mean that actions like file downloads aren't going to happen without the user's knowledge and consent. A simple popup asking if one wants the latest XSL files with the options to decline, to be asked each time, or to grant permission to go ahead without further consultation is all that would be needed. ®

Related Story

Small MS DVD privacy invasion, not many dead

SANS - Survey on application security programs

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Windows XP still has 27 per cent market share on its deathbed
Windows 7 making some gains on XP Death Day
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.