Unencrypted Windows Crash Reports a Blueprint For Attackers 103
An anonymous reader writes "According to Forbes online, up to 1 billion PCs are at risk of leaking information that could be used as a blueprint for attackers to compromise a network from Microsoft Windows Error Reporting (WER) crash reports that are sent in the clear. Researchers at Websense Labs released a detailed overview of the data contained in the crash reports, shortly after Der Spiegel released documents alleging that nation-state hackers may have used this information to execute highly targeted attacks with a low risk of detection, by crafting attacks specifically for vulnerable applications that are running on the network. Also interesting to think that Microsoft knows exactly what model of phones that you have plugged into your PC..."
Re:Windows users need to be raped by horses (Score:2, Insightful)
True, now if we could just bread that trait out of politicians we'd be set!
Next! (Score:5, Insightful)
Disabled on every machine I own, every machine I've deployed, every machine that I've been given the permission to manage.
Not because I think someone might be able to sniff them and then use them against my workplaces / PC's. Purely because they are WORTHLESS.
Reporting them, you see nothing back. All those people who get error reports upon upgrading to a duff hotfix, it takes someone to whinge to Microsoft to get it fixed. Millions of crash reports aren't acted up, from what I see. I doubt anyone reads them.
When offered to software developers, etc., I'm always told that it's easier to just get me to run a debug version rather than piss about with any built-in error reporting / dumping possible from the Microsoft tools. It gives them more information, they can debug it live, and I don't have to worry about information going back and forth.
Pretty much every time I've had one, it's been ignored, by Microsoft, developers, or myself. I learned a long time ago that debugging from any default dump or crash report - even for huge multinational companies that are trying to help solve your problem - is worthless. It's just not worth the effort.
Hence I've disabled them since day one. Not only do they not do anything useful, they don't tell me anything useful, they want to connect to the Internet (which can trigger my software firewall for a completely different process to those authorised applications I already allow through, assuming the machine is even online), and they actually make the error messages HARDER to read for my users. I disabled it entirely. "There was an error" and a hard crash is infinitely better than my users trying to debug a crashed application themselves or sending off dumps because the button says to do it, and still getting a hard crash. Hell, if the crash was because the network cable fell out (which apps will if they are based on a network share sometimes), the submission process triggers a DNS lookup which hangs the PC for 30+ seconds sometimes.
Worthless. Disabled.
Double edged sword (Score:4, Insightful)
On one hand, it would be rather straightforward for Microsoft to push a patch to use encryption for these reports. On the other hand, now you are running closed source software that sends a bunch of data to Microsoft -- data that you can not inspect. When it is sent in the clear, at least you could sniff your traffic and see what Microsoft is getting. So with encrypted crash reports, you need to trust Microsoft more than now.
MS Word crashed? Better send the docx file that caused the crash as well, it's not like the user(s) can call Microsoft out for it with encryption.
Assumptions (Score:4, Insightful)
I'll admit to being surprised by this. I assumed Microsoft had the common sense to encrypt error reports especially given they contain at least partial contents of applications internal memory and would therefore assumed to be considered sensitive. The dialogues asking you to send certainly make this posture clear.
In fact when I first read this the other day I was a bit confused as to how they (NSA) were getting this data...from Microsoft servers? It didn't even enter my mind these things were sent unencrypted and trivially pulled off the wire.
While we normally have WER and associated scheduler task entries disabled there are still some machines we send the reports in the off-chance bugs get fixed...not anymore...sad.. inexcusable...
This completes creates quite an interesting feedback loop imagine using QUANTUMINSERT to load malware or trigger crashes... if there is a problem or your not sure about the memory environment sit back and wait for the error report.