Microsoft has been revealed to be sending out its “crash logs” in plain text.
According to research by Websense Security Labs, it found that Windows Error Reporting predominantly sends out its crash logs in clear text, which could potentially allow eavesdroppers to map out vulnerable endpoints and gain a foothold within the network for more advanced penetration.
More than one billion network-connected PCs use the Windows Error Reporting program, and the reports often contain details such as the operating system being used, as well as the service pack and update versions.
Websense said: “Our research indicates that by default, many organisations are reporting specific information about applications, services and hardware through Microsoft Error Reporting in clear-text. These application reports are not just limited to crashes, but also events such as failed application updates, USB device insertions, and in some cases even TCP Timeouts between computers on the network, a large percentage of which is sent in HTTP clear text.”
While this information is critical for Microsoft to debug application crashes and hardware configurations, Websense strongly recommended organisations follow Microsoft’s recommendations to redirect all Windows Error Reporting traffic on their network to an internal server using a group policy to force encryption on all telemetry reports, and periodically audit their own network and applications for inadvertent leaking of information with security implications.
According to a leaked presentation seen by Der Spiegel, NSA’s TAO (Tailored Access Operations) division can be automatically notified whenever a targeted computer sends a crash report. The presentation said that the automated crash reports are a “neat way” to gain “passive access” to a machine, as the computer itself is not manipulated.
Carl Leonard, senior security research manager EMEA at Websense, said: “What is surprising though is that without the organisation’s knowledge, information is automatically sent to WER every time a Window’s user connects a new USB device to a computer; information that would be of value to an attacker, causing organisations to be more prone to increased data leaks.”
