Unencrypted Windows crash reports give 'significant advantage' to hackers, spies
More thorough crash reports, including ones that Microsoft silently triggers from its end of the telemetry chain, contain personal information and so are encrypted and transmitted via HTTPS. "If Microsoft is curious about the report or wants to know more, they can ask your computer to send a mini core dump," explained Watson. "Personal identifiable information in that core dump is encrypted."
Microsoft uses the error and crash reports to spot problems in its software as well as that crafted by other developers. Widespread reports typically lead to reliability fixes deployed in non-security updates.
The Redmond, Wash. company also monitors the crash reports for evidence of as-yet-unknown malware: Unexplained and suddenly-increasing crashes may be a sign that a new exploit is in circulation, Watson said.
Microsoft often boasts of the value of the telemetry to its designers, developers and security engineers, and with good reason: An estimated 80% of the world's billion-plus Windows PCs regularly send crash and error reports to the company.
But the unencrypted information fed to Microsoft by the initial and lowest-level reports -- which Watson labeled "Stage 1" reports -- comprise a dangerous leak, Watson contended.
"We've substantiated that this is a major risk to organizations," said Watson.
Error reporting can be disabled manually on a machine-by-machine basis, or in large sets by IT administrators using Group Policy settings.
Websense recommended that businesses and other organizations redirect the report traffic on their network to an internal server, where it can be encrypted before being forwarded to Microsoft.
But to turn it off entirely would be to throw away a solid diagnostic tool, Watson argued. ERS can provide insights not only to hackers and spying eavesdroppers, but also the IT departments.
"[ERS] does the legwork, and can let [IT] see where vulnerabilities might exist, or whether rogue software or malware is on the network," Watson said. "It can also show the uptake on BYOD [bring your own device] policies," he added, referring to the automatic USB device reports.
Microsoft should encrypt all ERS data that's sent from customer PCs to its servers, Watson asserted.
A Microsoft spokesperson asked to comment on the Websense and Der Spiegel reports said, "Microsoft does not provide any government with direct or unfettered access to our customer's data. We would have significant concerns if the allegations about government actions are true."
The spokesperson added that, "Secure Socket Layer connections are regularly established to communicate details contained in Windows error reports," which is only partially true, as Stage 1 reports are not encrypted, a fact that Microsoft's own documentation makes clear.
"The software 'parameters' information, which includes such information as the application name and version, module name and version, and exception code, is not encrypted," Microsoft acknowledged in a document about ERS.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts