Experts raised privacy concerns when a data protection impact assessment found Microsoft covertly collects personal data from users of the enterprise version of Office ProPlus. Credit: OpenClipArt-Vectors Privacy Company released the results of a data protection impact assessment showing privacy risks in the enterprise version of Microsoft Office.Regarding the “large scale and covert collection of personal data” of Microsoft Office ProPlus (Office 2016 MSI and Office 365 CTR) users, Privacy Company warned:Microsoft systematically collects data on a large scale about the individual use of Word, Excel, PowerPoint and Outlook. Covertly, without informing people. Microsoft does not offer any choice with regard to the amount of data, or possibility to switch off the collection, or ability to see what data are collected, because the data stream is encoded.Similar to the practice in Windows 10, Microsoft has included separate software in the Office software that regularly sends telemetry data to its own servers in the United States. For example, Microsoft collects information about events in Word, when you use the backspace key a number of times in a row, which probably means you do not know the correct spelling. But also the sentence before and after a word that you look up in the online spelling checker or translation service. Microsoft not only collects use data via the inbuilt telemetry client, but also records and stores the individual use of Connected Services. For example, if users access a Connected Service such as the translate service through the Office software, Microsoft can store the personal data about this usage in so called system-generated event logs.The report includes tips for how admins can lower the privacy risks.Other security and privacy news:Patch Tuesday: Microsoft closes 62 security holes, two zero-days Of the 62 security holes closed by Microsoft on the November 2018 Patch Tuesday, 12 are rated critical and two are zero-days.The elevation of privilege zero-day, CVE-2018-8589, first reported to Microsoft by Kaspersky Lab in October, exists in Win32k.sys. This vulnerability, which is actively being exploited to compromise Windows 7 and Server 2008, could allow an attacker to run arbitrary code in the context of the local system. While only rated as “important” by Microsoft, since the attacker would need to log on to the system to exploit the vulnerability, once exploited, the attacker could gain full control of the system. The second zero-day, CVE-2018-8566 – a security feature bypass in BitLocker, was publicly disclosed on Twitter in October. The bug affects Windows 10, Server 2016, and Server 2019. Although Microsoft noted that this flaw is not related to its previously released security advisory on how to configure BitLocker to enforce software encryption, the company said if you install this security update, you will also need to review the advisory regarding self-encrypting drives.Also on Patch Tuesday, Microsoft re-released the October 2018 Update for Windows. The rollout was paused in October due to deleting users’ files. Microsoft said the file deletion issue has been resolved, but it is taking a more measured approach with the October Windows Update than it did with the April Update, as rolling it out slowly allows the company “to more carefully study device health data.”Reminder of why patching is importantIf you don’t want to deploy Microsoft’s security updates with any urgency, or don’t want to patch at all, then you might join the ranks of people such as Hacking Team’s founder and CEO David Vincenzetti. Come to find out, despite Vincenzetti attempting to “frame former employees” for Hacking Team being hacked, Phineas Fisher was able to hack the company thanks in great part to the fact that no one could be bothered to update software. It seems no one was in charge of updating software as the company was focused only on keeping its spyware running.Oh, the irony: IoT backdoor author added second, secret backdoor to hack script kiddiesLastly, but also from the irony department, an Internet of Things (IoT) backdoor author put a second backdoor in the Scarface code used by script kiddies to create an IoT botnet of ZTE routers in order to backdoor them. A vendor backdoor is leaked with another backdoor on the top of it by the malware author to hack the script kiddies. So they will able to hack others using ZTE backdoor, but they also will get backdoored themselves due to the extra backdoor lol. #IoT https://t.co/jdRAwvKrUR— Ankit Anubhav (@ankit_anubhav) November 13, 2018 Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe