Windows Error Reporting Exposes Your Vulnerabilities

If you don't keep your operating system and applications up to date, you leave your PC vulnerable to attacks that exploit known security holes. We've said it again and again. Perhaps you think an attack is unlikely, since the bad guys have no way of knowing just which of your apps are vulnerable? Well, think again. In a recent blog post, Websense Security Labs reported that every time your computer sends an error report to Microsoft's Dr. Watson service, it reveals a ton of information in plain text, data that a hacker could sieve from your network traffic to craft an attack.
Can't Say No
It's true that when an application crashes, the resulting Windows Error Reporting dialog asks your permission before sending a report to Microsoft.
However, many everyday occurrences trigger a silent report, no permission required. Websense directory of security research Alex Watson (no relation to Microsoft's Dr. Watson) used a simple network traffic capture tool to reveal that even something as simple as plugging in a new USB device can trigger a report.
Dr. Watson transmits detailed information about the USB device and about the host computer in plain, unencrypted text form. This data includes the precise operating system, service pack, and update version for the host, as well as the host's BIOS version and unique machine identifier.
When an application crashes, the report naturally includes the name and precise version number for that application. It also reports the reason for the crash and the internal location of the instruction that served as the proximate cause. Knowing the details of the crash, an attacker could arrange to attack the affected application and potentially compromise security.
Not All Exposed
On the positive side, only the first stage of error reporting goes through in plain text. Stages two through four, which can contain personally identifiable information, are transmitted using HTTPS encryption. Microsoft clearly states that "All report data that could include personally identifiable information is encrypted (HTTPS) during transmission. The software 'parameters' information, which includes such information as the application name and version, module name and version, and exception code, is not encrypted."
The unencrypted first stage could actually be useful to the IT department of a large organization. Watson points out that an IT expert could use it "to understand uptake of new BYOD policies and to identify potential security risks." The problem is that a hacker could also identify those risks, and actively use them to penetrate security.
What Can You Do?
According to the report, Microsoft estimates that nearly 80 percent of all Windows PCs participate in the error reporting program. Websense recommends that businesses use a Group Policy called Corporate Windows Error Reporting. By configuring this policy so it redirects error reports to an internal server, the IT staff can ensure secure transmission to Microsoft and can also mine the resulting data for their own purposes.
That's all very well, but what about personal PCs? I asked Alex Watson what an individual can do about this potential leakage of vulnerability data. "There does not appear to be a straight forward solution for individual, unmanaged users to encrypt their Stage One error reports to Windows Error Reporting," said Watson. "If you are an individual user and have concerns about these reports potentially being intercepted, I would recommend disabling Windows Error Reporting on your PC as outlined by Microsoft."
"However, I would note that these reports are extremely useful to Microsoft and application developers to ensure quality of their products and prioritize bug fixes," continued Watson. "Taking yourself out of the WER program could make it that much slower for a bug affecting your computer to be noticed and fixed. An ideal solution is for Microsoft to use SSL/TLS on all stages of Windows Error Reporting, which would mitigate any concerns users or organizations face from a security perspective."
I can't argue with that! So, how about it, Microsoft? You're already encrypting the other three stages. When will you add protection to the first state of error reporting?