Unencrypted Windows crash reports give 'significant advantage' to hackers, spies
More thorough crash reports, including ones that Microsoft silently triggers from its end of the telemetry chain, contain personal information and so are encrypted and transmitted via HTTPS. "If Microsoft is curious about the report or wants to know more, they can ask your computer to send a mini core dump," explained Watson. "Personal identifiable information in that core dump is encrypted."
Microsoft uses the error and crash reports to spot problems in its software as well as that crafted by other developers. Widespread reports typically lead to reliability fixes deployed in non-security updates.
The Redmond, Wash. company also monitors the crash reports for evidence of as-yet-unknown malware: Unexplained and suddenly-increasing crashes may be a sign that a new exploit is in circulation, Watson said.
Microsoft often boasts of the value of the telemetry to its designers, developers and security engineers, and with good reason: An estimated 80% of the world's billion-plus Windows PCs regularly send crash and error reports to the company.
But the unencrypted information fed to Microsoft by the initial and lowest-level reports -- which Watson labeled "Stage 1" reports -- comprise a dangerous leak, Watson contended.
"We've substantiated that this is a major risk to organizations," said Watson.
Error reporting can be disabled manually on a machine-by-machine basis, or in large sets by IT administrators using Group Policy settings.
Websense recommended that businesses and other organizations redirect the report traffic on their network to an internal server, where it can be encrypted before being forwarded to Microsoft.
But to turn it off entirely would be to throw away a solid diagnostic tool, Watson argued. ERS can provide insights not only to hackers and spying eavesdroppers, but also the IT departments.
"[ERS] does the legwork, and can let [IT] see where vulnerabilities might exist, or whether rogue software or malware is on the network," Watson said. "It can also show the uptake on BYOD [bring your own device] policies," he added, referring to the automatic USB device reports.
Microsoft should encrypt all ERS data that's sent from customer PCs to its servers, Watson asserted.
A Microsoft spokesperson asked to comment on the Websense and Der Spiegel reports said, "Microsoft does not provide any government with direct or unfettered access to our customer's data. We would have significant concerns if the allegations about government actions are true."
The spokesperson added that, "Secure Socket Layer connections are regularly established to communicate details contained in Windows error reports," which is only partially true, as Stage 1 reports are not encrypted, a fact that Microsoft's own documentation makes clear.
"The software 'parameters' information, which includes such information as the application name and version, module name and version, and exception code, is not encrypted," Microsoft acknowledged in a document about ERS.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Malware and Vulnerabilities White Papers | Webcasts