Microsoft Windows has a helpful utility that — usually with user permission — automatically sends problem reports to the company for analysis. But a security vendor says those error reports could also leak information to people who can craft specific attacks and compromise networks.
Alex Watson, director of security research for Websense Inc., says Windows Error Reporting – also called Dr. Watson – transmits unencrypted crash logs to Microsoft filled with “incredibly detailed information” on individual systems.
“It’s like having blueprints to a person executing an attack,” he said in an interview on Monday.
“These error logs could ultimately allow eavesdroppers to map out vulnerable endpoints and gain a foothold within the network for more advanced penetration,” the company said in a blog on the weekend.
“Crashes are especially useful for attackers as they may pinpoint a new exploitable code flaw for a zero-day attack.”
Information in the report includes the operating system, service pack and update versions and details on what device has recently been plugged into a USB port.
Microsoft says administrators can implement fine-grained control over automated error reporting through pushing group policies to computers on the network, Websense acknowledges.
However, it adds “our research indicates that by default many organizations are reporting (in clear-text) specific information about applications, services and hardware through Microsoft Error Reporting. These application reports are not just limited to crashes, but also events such as failed application updates, USB device insertions, and in some cases even TCP Timeouts between computers on the network-a large percentage of which is sent in HTTP clear text.”
Coincidentally, the possibility the U.S. National Security Agency is already intercepting and leveraging this data was just raised by a German publication.
In an email a Microsoft [Nasdaq: MSFT] spokesperson said that Secure Socket Layer (SSL) connections are regularly established when transmitting Windows error reports. “Customers who choose to use error reports send limited information about, for example, the process, application, or device driver, that may have encountered a problem. Reports are then reviewed and used to improve customer experiences. We continue to review our encryption technologies and practices and have commented on the multiple investments we continue to make, on our Microsoft on the Issues blog. ”
Websense’s Watson acknowledged the company has no case studies of organizations that have been successfully attacked using the error data, although he said the evidence would be hard to find.
Websense recommends that organizations follow Microsoft’s recommendations to redirect all Windows Error Reporting (WER) traffic on their network to an internal server using a group policy to force encryption on all telemetry reports.