Companies using Microsoft Office XP and Internet Explorer 5 have been warned that documents containing personal information could be sent to Microsoft along with debugging information in the event of a program crash.
The feature that reports errors sends crash and debugging information back to Microsoft to help the company detect and fix bugs in its software. But the U.S. Department of Energy's Computer Incident Advisory Capability office has released a security bulletin reporting that the debugging information includes an image of the current contents of the PC's memory, which may include all or part of the document being viewed or edited.
"If a sensitive document is resident in the memory dump, this could be sent to Microsoft," said Graham Cluley, senior technology consultant at antivirus company Sophos. "This is not a serious problem but an interesting foible."
But Microsoft says the reporting function asks for permission before any information is forwarded, while additionally offering the option of turning the feature off from all company desktops.
"We make it clear to customers that when a problem occurs, their Digital Product ID and Internet Protocol (IP) address will be sent to us," said Neil Laver, Windows marketing manager. "The report could also contain customer-specific information, which could be used to identify a person's identity, but will not be used."
News source: Yahoo! News
View Information Bulletin: CIAC: Office XP Error Reporting May Send Sensitive Documents to Microsoft