Office XP hole compromises personal data

The Report Error function in Microsoft's office suite contains a memory dump that can send personal information to Microsoft as part of the bug report

Companies using Microsoft Office XP and Internet Explorer version 5 have been warned that documents containing personal information could be sent to Microsoft along with debugging information in the event of a program crash.

The Error Reporting feature sends crash and debug information back to Microsoft to help the company detect and fix bugs in its software. But the US Computer Incident Advisory Service (CIAC) has released a security bulletin claiming that the debugging information contains a memory dump, which may include all or part of the document being viewed or edited.

"If a sensitive document is resident in the memory dump, this could be sent to Microsoft," said Graham Cluley, senior technology consultant at antivirus firm Sophos. "This is not a serious problem but an interesting foible."

The CIAC bulletin states that the Error Reporting function is configured to "automatically" send debugging information to Microsoft, and claims that the relevant dialogue box does not make it obvious that the contents of the document being edited may be sent along with information about the programme crash.

But Microsoft contests that the reporting function asks for user permission before any information is forwarded, while additionally offering the option of turning the feature off from all company desktops.

"We make it clear to customers that when a problem occurs, their Digital Product ID and Internet Protocol (IP) address will be sent to us," said Neil Laver, Windows marketing manager. "The report could also contain customer-specific information which could be used to identify a person's identity, but will not be used." Microsoft additionally claims that it limits the number of people who have access to the bug reports.

The Error Reports are sent via a standard security protocol, which is sufficient in protecting confidentiality, according to Microsoft. "This encrypts data sent over the Internet, but not the document," Laver clarified.

Cluley thinks it unlikely that many companies will be sending bug reports over the Internet, but warns that, "whenever any kind of communication takes place on the Internet, there is always the opportunity for people to intercept it."

See the Viruses and Hacking News Section for the latest headlines.

See the Net Crime News Section for the latest on hacking, fraud, viruses and related issues.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.