__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Office XP Error Reporting May Send Sensitive Documents to Microsoft October 15, 2001 20:00 GMT Number M-005 Revised: October 16, 2001, 1900 GMT Revised: October 18, 2001, 1900 GMT ______________________________________________________________________________ PROBLEM: Microsoft Office XP and Internet Explorer version 5 and later are configured to request to send debugging information to Microsoft in the event of a program crash. The debugging information includes a memory dump which may contain all or part of the document being viewed or edited. This debug message potentially could contain sensitive, private information. PLATFORM: Microsoft Office XP Microsoft Internet Explorer 5.0 and later Microsoft Windows XP Microsoft has indicated that this will be a feature of all new Microsoft products. DAMAGE: Sensitive or private information could inadvertently be sent to Microsoft. Some simple testing of the feature found document information in one message out of three. SOLUTION: Apply the registry changes listed in this bulletin to disable the automatic sending of debugging information. If you are working with sensitive information and a program asks to send debugging information to Microsoft, you should click Don't Send. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Sensitive documents could be sent to ASSESSMENT: Microsoft. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-005.shtml PATCHES: Office XP: http://www.ciac.org/ciac/bulletins/office/UnWatsonXP.reg IE: http://www.ciac.org/ciac/bulletins/office/UnWatsonIE6.reg ______________________________________________________________________________ [Revision 10/16/01 Emphasize debug dialog box] [Revision 10/17/01 Removed erroneous key, IEWatsonDisabled, from reg file] [Revision 10/18/01 Added links to Microsoft pages] Microsoft's Error Reporting Can Send Your Data Across the Internet Office XP, Internet Explorer (version 5 and higher), and Windows XP use a feature called Error Reporting to send crash and debug information back to Microsoft to help them detect and fix bugs in their software. Unfortunately, Error Reporting can send portions of the document or web site you are viewing along with this debugging information. The error reporting feature and the data it collects is described in the following pages on the Microsoft website. http://www.microsoft.com/office/ork/xp/two/admA05.htm http://watson.microsoft.com/dw/1033/dcp.asp Error reporting in Internet Explorer is discussed on the following pages. Note that the name of the registry key to change is wrong in this article. The key is IEWatsonEnabled and should be set to 0 to disable Error Reporting. http://support.microsoft.com/support/kb/articles/Q276/5/50.ASP When error reporting activates after a crash, it displays a dialog box that asks to send debugging information to Microsoft. The information sent to Microsoft includes a copy of the block of memory where the program was running when it crashed. It is not evident from the dialog box that the contents of the document being edited may be in that memory block. If the document you are viewing or editing in any way could be considered sensitive you should answer Don't Send to this request. This bulletin contains instructions for disabling Error Reporting in both Internet Explorer and Office XP on all versions of Windows. (At this time, Error Reporting is not available, and does not need to be disabled, on Macintosh computers.) Office XP ========= To disable Error Reporting in Office XP (on any version of Windows), use the Registry script below. Double clicking on a .REG file runs Regedit and makes the changes in the file. The script disables Error Reporting for the current user only, and so must be run by each user of a system. (New users created after the script is run will have the changes made for them, and do not need to re-run the script.) Registry Script UnWatsonXP.reg ------------------------------ REGEDIT4 [HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\10.0\Common] "DWNeverUpload"=dword:00000001 "DWNoExternalURL"=dword:00000001 "DWNoFileCollection"=dword:00000001 "DWNoSecondLevelCollection"=dword:00000001 [HKEY_USERS\.Default\Software\Policies\Microsoft\Office\10.0\Common] "DWNeverUpload"=dword:00000001 "DWNoExternalURL"=dword:00000001 "DWNoFileCollection"=dword:00000001 "DWNoSecondLevelCollection"=dword:00000001 Only administrators have access to the Registry. If you receive an error when trying to run this script, contact your administrator or local support group. Internet Explorer 5.x ===================== Disabling Error Reporting in Internet Explorer varies depending on which version of IE you are using. For Internet Explorer 5.x, remove Internet Explorer Error Reporting using the Control Panel: 1. Click Start, point to Settings, and then click Control Panel. 2. Double-click Add/Remove Programs. 3. In the list of installed programs, click Internet Explorer Error Reporting, and then click Add/Remove (Windows 98, Me, NT 4) or Remove (Windows 2000). 4. Click OK. Internet Explorer 6 on Windows 2000 and Earlier =============================================== For Internet Explorer 6 on Windows 2000 and earlier, use the Registry script below to disable Error Reporting. Registry Script UnWatsonIE6.reg ------------------------------- REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main] "IEWatsonDisabled"=dword:00000001 "IEWatsonEnabled"=dword:00000000 Only administators have access to the Registry. If you receive an error when trying to run this script, contact your administrator or local support group. Internet Explorer 6 on Windows XP ================================= To disable Error Reporting in Internet Explorer 6 running on Windows XP: 1. Click Start, and then click Control Panel (or point to Settings, and then click Control Panel). 2. Double-click System (or click "Switch to Classic View", and then double-click System). 3. Click the Advanced tab, and then click Error Reporting. 4. Click "Disable error reporting" to disable both user and kernel-mode error reporting, or click to clear the Programs check box. 5. Click OK, then click OK again. Administrators can disable error reporting in Windows XP Professional by setting Report Errors to Disabled in Group Policy Editor (Gpedit.msc) in the Computer Configuration\Administrative Templates\System\Error Reporting folder. _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Systems and Network Department help desk at the Lawrence Livermore National Laboratory for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Center, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) L-139: Microsoft IIS "%u encoding IDS bypass vulnerability" L-140: Gauntlet Firewall CSMAP and smap/smapd Buffer Overflow Vulnerability L-141: RSA BSAFE SSL-J 3.x Vulnerability L-142: RPC Endpoint Mapper Vulnerability L-143: HP libsecurity Vulnerability L-144: The W32.nimda Worm M-001: Cisco Secure IDS Signature Obfuscation Vulnerability M-002: Multi-Vendor format String Vulnerability in ToolTalk Service M-003: Hewlett-Packard rpcbind Security Vulnerability M-004: Excel and PowerPoint Macro Vulnerability