Windows error reports could lead to exploit, says security vendor

Microsoft Windows has a helpful utility that — usually with user permission — automatically sends problem reports to the company for analysis. But a security vendor says those error reports could also leak information to people who can craft specific attacks and compromise networks.

Alex Watson, director of security research for Websense Inc., says Windows Error Reporting – also called Dr. Watson – transmits unencrypted crash logs to Microsoft filled with “incredibly detailed information” on individual systems.

“It’s like having blueprints to a person executing an attack,” he said in an interview on Monday.

“These error logs could ultimately allow eavesdroppers to map out vulnerable endpoints and gain a foothold within the network for more advanced penetration,” the company said in a blog on the weekend.

“Crashes are especially useful for attackers as they may pinpoint a new exploitable code flaw for a zero-day attack.”

Information in the report includes the operating system, service pack and update versions and details on what device has recently been plugged into a USB port.

Microsoft says administrators can implement fine-grained control over automated error reporting through pushing group policies to computers on the network, Websense acknowledges.

However, it adds “our research indicates that by default many organizations are reporting (in clear-text) specific information about applications, services and hardware through Microsoft Error Reporting. These application reports are not just limited to crashes, but also events such as failed application updates, USB device insertions, and in some cases even TCP Timeouts between computers on the network-a  large percentage of which is sent in HTTP clear text.”

Coincidentally, the possibility the U.S. National Security Agency is already intercepting and leveraging this data was just raised by a German publication.

In an email a Microsoft [Nasdaq: MSFT] spokesperson said that Secure Socket Layer (SSL) connections are regularly established when transmitting Windows error reports. “Customers who choose to use error reports send limited information about, for example, the process, application, or device driver, that may have encountered a problem.  Reports are then reviewed and used to improve customer experiences. We continue to review our encryption technologies and practices and have commented on the multiple investments we continue to make, on our Microsoft on the Issues blog. ”

Websense’s Watson acknowledged the company has no case studies of organizations that have been successfully attacked using the error data, although he said the evidence would be hard to find.

Websense recommends that organizations follow Microsoft’s recommendations to redirect all Windows Error Reporting (WER) traffic on their network to an internal server using a group policy to force encryption on all telemetry reports.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now