Microsoft covertly collects personal data from enterprise Office ProPlus users

Experts raised privacy concerns when a data protection impact assessment found Microsoft covertly collects personal data from users of the enterprise version of Office ProPlus.

Privacy Company released the results of a data protection impact assessment showing privacy risks in the enterprise version of Microsoft Office.

Regarding the “large scale and covert collection of personal data” of Microsoft Office ProPlus (Office 2016 MSI and Office 365 CTR) users, Privacy Company warned:

Microsoft systematically collects data on a large scale about the individual use of Word, Excel, PowerPoint and Outlook. Covertly, without informing people. Microsoft does not offer any choice with regard to the amount of data, or possibility to switch off the collection, or ability to see what data are collected, because the data stream is encoded.

Similar to the practice in Windows 10, Microsoft has included separate software in the Office software that regularly sends telemetry data to its own servers in the United States. For example, Microsoft collects information about events in Word, when you use the backspace key a number of times in a row, which probably means you do not know the correct spelling. But also the sentence before and after a word that you look up in the online spelling checker or translation service. Microsoft not only collects use data via the inbuilt telemetry client, but also records and stores the individual use of Connected Services. For example, if users access a Connected Service such as the translate service through the Office software, Microsoft can store the personal data about this usage in so called system-generated event logs.

The report includes tips for how admins can lower the privacy risks.

Other security and privacy news:

Patch Tuesday: Microsoft closes 62 security holes, two zero-days

Of the 62 security holes closed by Microsoft on the November 2018 Patch Tuesday, 12 are rated critical and two are zero-days.

The elevation of privilege zero-day, CVE-2018-8589, first reported to Microsoft by Kaspersky Lab in October, exists in Win32k.sys. This vulnerability, which is actively being exploited to compromise Windows 7 and Server 2008, could allow an attacker to run arbitrary code in the context of the local system. While only rated as “important” by Microsoft, since the attacker would need to log on to the system to exploit the vulnerability, once exploited, the attacker could gain full control of the system.

The second zero-day, CVE-2018-8566 – a security feature bypass in BitLocker, was publicly disclosed on Twitter in October. The bug affects Windows 10, Server 2016, and Server 2019. Although Microsoft noted that this flaw is not related to its previously released security advisory on how to configure BitLocker to enforce software encryption, the company said if you install this security update, you will also need to review the advisory regarding self-encrypting drives.

Also on Patch Tuesday, Microsoft re-released the October 2018 Update for Windows. The rollout was paused in October due to deleting users’ files. Microsoft said the file deletion issue has been resolved, but it is taking a more measured approach with the October Windows Update than it did with the April Update, as rolling it out slowly allows the company “to more carefully study device health data.”

Reminder of why patching is important

If you don’t want to deploy Microsoft’s security updates with any urgency, or don’t want to patch at all, then you might join the ranks of people such as Hacking Team’s founder and CEO David Vincenzetti. Come to find out, despite Vincenzetti attempting to “frame former employees” for Hacking Team being hacked, Phineas Fisher was able to hack the company thanks in great part to the fact that no one could be bothered to update software. It seems no one was in charge of updating software as the company was focused only on keeping its spyware running.

Oh, the irony: IoT backdoor author added second, secret backdoor to hack script kiddies

Lastly, but also from the irony department, an Internet of Things (IoT) backdoor author put a second backdoor in the Scarface code used by script kiddies to create an IoT botnet of ZTE routers in order to backdoor them.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.