Unencrypted Windows Crash Reports a Blueprint For Attackers

An anonymous reader writes "According to Forbes online, up to 1 billion PCs are at risk of leaking information that could be used as a blueprint for attackers to compromise a network from Microsoft Windows Error Reporting (WER) crash reports that are sent in the clear. Researchers at Websense Labs released a detailed overview of the data contained in the crash reports, shortly after Der Spiegel released documents alleging that nation-state hackers may have used this information to execute highly targeted attacks with a low risk of detection, by crafting attacks specifically for vulnerable applications that are running on the network. Also interesting to think that Microsoft knows exactly what model of phones that you have plugged into your PC..."

Re:Not everything is about software security.

[recoiledsnake]

If you're really concerned about security on your individual systems, DONT USE WINDOWS. There, fixed it for ya.

Ubuntu does the same, if not worse.
https://launchpad.net/apport [launchpad.net]

pport intercepts Program crashes, collects debugging information about the crash and the operating system environment, and sends it to bug trackers in a standardized form. It also offers the user to report a bug about a package, with again collecting as much information about it as possible.

It currently supports

  - Crashes from standard signals (SIGSEGV, SIGILL, etc.) through the kernel coredump handler (in piping mode)
    - Unhandled Python exceptions
    - GTK, KDE, and command line user interfaces
    - Packages can ship hooks for collecting speficic data (such as /var/log/Xorg.0.log for X.org, or modified gconf settings for GNOME programs)
    - apt/dpkg and rpm backend (in production use in Ubuntu and OpenSUSE)
    - Reprocessing a core dump and debug symbols for post-mortem (and preferably server-side) generation of fully symbolic stack traces (apport-retrace)
    - Reporting bugs to Launchpad (more backends can be easily added)

If you're really concerned about WER on Windows, just say no when it asks you to send crash reports.

Re:Next!

[drinkypoo]

Millions of crash reports aren't acted up, from what I see. I doubt anyone reads them.

They're used for two things. One, to figure out which bugs are actually impacting customers. Two, when there's a bug Microsoft has decided they care about. Either way, by never sending them in you're not voting for your bugs to be fixed.

Re:Not everything is about software security.

[recoiledsnake]

But in ubuntu you can (and i do) turn it off!

In Windows, it's turned off until you turn it on.

Re:Duh

[heypete]

Sorry; perhaps I'm being incredibly ignorant here (I'm the AC that posted above), but my understanding was that Windows came with a bunch of generic drivers for devices, and only checked Windows Update for a device if you told it to when installing the device.

Am I wrong?

Windows typically checks Windows Update for drivers for all newly-connected devices, then look for locally-installed drivers if the Windows Update check didn't find anything. Certain devices (like USB mass storage devices, for example)) are installed using local drivers first, as most people want their USB flash drives to work as soon as possible but are willing to wait a few tens of seconds for other devices.

Ignoring privacy concerns, this is a fairly sensible thing: more devices can be "plug and play" and this benefits users. Similarly, while a driver might be included on a CD that comes with a device, it might be outdated -- an online check with Windows Update can retrieve the latest driver.

Re:Next!

[clodney]

Several times I have gotten the little popup in the tray of Win7 telling me that there is a fix for an issue that I have had. Usually it takes the form of a driver update or a hotfix.

At one point I worked for a company that used Windows Error Reporting in our app, and MS did indeed route the crash reports to us, which we did debug and generally fix.

Re:Next!

[Etherwalk]

Millions of crash reports aren't acted up, from what I see. I doubt anyone reads them.

They're used for two things. One, to figure out which bugs are actually impacting customers. Two, when there's a bug Microsoft has decided they care about. Either way, by never sending them in you're not voting for your bugs to be fixed.

This. It's true lots of crash reports aren't acted on--it's also true that something like 5% of users generate 90%+ of crash reports. But they give great information on "this is affecting umpteen million people so we should fix it because it will save lots of man-years" or "someone's having a problem and we should see if any of the data we have will help us fix it."

Re:Next!

[bmajik]

fyi, I have personally analyzed WER crash dumps and used them to get the root causes fixed in the next update/release in multiple Microsoft products.

(Dynamics AX and Visual Studio, if you're curious)

We (Microsoft) not only look at WER data, we act on it.

You are correct that it is often really hard to figure out what crazy thing happened, but we try anyway, and sometimes, we're able to figure it out and create fixes.

As was mentioned elsewhere, WER data also tells us WHO is hitting a problem and how often it is being reported. That gives us valuable information about prioritizing WER responses.

If you don't want to pay the perf/bandwidth penalty for collecting/uploading reports, that's understandable. But as mentioned elsewhere, you're abstaining from "voting" to have your issues looked at sooner/more thoroughly.

Then, if you care about such things, there's the "social responsibility" aspect of it. I'd much rather we shipped perfect software, but we don't. WER is one of the best ways we can see issues that customers are hitting and get a sense of how painful they are for customers. If the goal is for MS to be less awful, WER is a key feedback mechanism to help us help you.

It would be a shame if your environment produced just the right heap dump that let us understand an issue that was impacting millions of people... and it was locked on your machine. Not only would your abstention cost YOU, but it would cost everyone else as well.

Is it your fault we ship bugs? Of course not. Would it help you, us, and millions of other people if you turned on WER? Probably.

Thanks,
Matt Evans
Senior SDET, Visual Studio