Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unencrypted Windows Crash Reports a Blueprint For Attackers

Posted by timothy on from the distributed-fuzzing-attack dept.

An anonymous reader writes "According to Forbes online, up to 1 billion PCs are at risk of leaking information that could be used as a blueprint for attackers to compromise a network from Microsoft Windows Error Reporting (WER) crash reports that are sent in the clear. Researchers at Websense Labs released a detailed overview of the data contained in the crash reports, shortly after Der Spiegel released documents alleging that nation-state hackers may have used this information to execute highly targeted attacks with a low risk of detection, by crafting attacks specifically for vulnerable applications that are running on the network. Also interesting to think that Microsoft knows exactly what model of phones that you have plugged into your PC..."

21 of 103 comments (clear)

  1. Duh by mythosaz · · Score: 5, Funny

    Also interesting to think that Microsoft knows exactly what model of phones that you have plugged into your PC..."

    Wait, you mean my crash reports include a list of devices?!?

    The horror.

    1. Re:Duh by recoiledsnake · · Score: 5, Funny

      Reading the article, it says that each time you plug in a new USB device, it automatically sends that information to Microsoft. Even if you don't send the Windows crash reports to Microsoft, your computer is still phoning home each time you install a new USB device.

      Duh, how does it search for drivers on Windows Update then? Turn off that functionality and then check, if it still does, then it's news.

      Next you will tell me that my browser is broadcasting an IP Address.

      --
      This space for rent.
    2. Re:Duh by heypete · · Score: 4, Informative

      Sorry; perhaps I'm being incredibly ignorant here (I'm the AC that posted above), but my understanding was that Windows came with a bunch of generic drivers for devices, and only checked Windows Update for a device if you told it to when installing the device.

      Am I wrong?

      Windows typically checks Windows Update for drivers for all newly-connected devices, then look for locally-installed drivers if the Windows Update check didn't find anything. Certain devices (like USB mass storage devices, for example)) are installed using local drivers first, as most people want their USB flash drives to work as soon as possible but are willing to wait a few tens of seconds for other devices.

      Ignoring privacy concerns, this is a fairly sensible thing: more devices can be "plug and play" and this benefits users. Similarly, while a driver might be included on a CD that comes with a device, it might be outdated -- an online check with Windows Update can retrieve the latest driver.

    3. Re:Duh by recoiledsnake · · Score: 2

      . Searching for drivers on windows update is completely unnecessary for about 95% of the things you will ever plug in, and usually fruitless for the other 5%.

      Reference?
      The drivers that come with the device or Windows might be outdated, buggy and/or omit new features.
      I see updates to drivers in Windows Update many times so they're quite useful to me. Even as a power user, I don't keep visiting my hardware driver websites and keep comparing driver versions. Do you do that? The other option is to clutter up the system with 15 auto updaters from 10 companies. Is hiding the hardware you use from MS(assuming they start encrypting the data, which was a bad omission) that important to all users? Those who have that issue can turn it off.

      --
      This space for rent.
  2. Who submits these reports? by Gothmolly · · Score: 2

    Who actually lets Windows submit these?

    Also, if you don't trust your ISP not to snoop these, you shouldn't trust them not to snoop your real traffic too.

    --
    I want to delete my account but Slashdot doesn't allow it.
  3. Re:Windows users need to be raped by horses by MobSwatter · · Score: 2, Insightful

    True, now if we could just bread that trait out of politicians we'd be set!

  4. Old news by cyberspittle · · Score: 2

    Anyone who can access technical support resources can access customer data. The biggest issue is that most technical support is outsourced to other countries, which now have full technical (hardware+software version, etc.) and customer information (good for social engineering).

  5. Next! by ledow · · Score: 4, Insightful

    Disabled on every machine I own, every machine I've deployed, every machine that I've been given the permission to manage.

    Not because I think someone might be able to sniff them and then use them against my workplaces / PC's. Purely because they are WORTHLESS.

    Reporting them, you see nothing back. All those people who get error reports upon upgrading to a duff hotfix, it takes someone to whinge to Microsoft to get it fixed. Millions of crash reports aren't acted up, from what I see. I doubt anyone reads them.

    When offered to software developers, etc., I'm always told that it's easier to just get me to run a debug version rather than piss about with any built-in error reporting / dumping possible from the Microsoft tools. It gives them more information, they can debug it live, and I don't have to worry about information going back and forth.

    Pretty much every time I've had one, it's been ignored, by Microsoft, developers, or myself. I learned a long time ago that debugging from any default dump or crash report - even for huge multinational companies that are trying to help solve your problem - is worthless. It's just not worth the effort.

    Hence I've disabled them since day one. Not only do they not do anything useful, they don't tell me anything useful, they want to connect to the Internet (which can trigger my software firewall for a completely different process to those authorised applications I already allow through, assuming the machine is even online), and they actually make the error messages HARDER to read for my users. I disabled it entirely. "There was an error" and a hard crash is infinitely better than my users trying to debug a crashed application themselves or sending off dumps because the button says to do it, and still getting a hard crash. Hell, if the crash was because the network cable fell out (which apps will if they are based on a network share sometimes), the submission process triggers a DNS lookup which hangs the PC for 30+ seconds sometimes.

    Worthless. Disabled.

    1. Re:Next! by drinkypoo · · Score: 4, Informative

      Millions of crash reports aren't acted up, from what I see. I doubt anyone reads them.

      They're used for two things. One, to figure out which bugs are actually impacting customers. Two, when there's a bug Microsoft has decided they care about. Either way, by never sending them in you're not voting for your bugs to be fixed.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:Next! by clodney · · Score: 4, Informative

      Several times I have gotten the little popup in the tray of Win7 telling me that there is a fix for an issue that I have had. Usually it takes the form of a driver update or a hotfix.

      At one point I worked for a company that used Windows Error Reporting in our app, and MS did indeed route the crash reports to us, which we did debug and generally fix.

    3. Re:Next! by Etherwalk · · Score: 3, Informative

      Millions of crash reports aren't acted up, from what I see. I doubt anyone reads them.

      They're used for two things. One, to figure out which bugs are actually impacting customers. Two, when there's a bug Microsoft has decided they care about. Either way, by never sending them in you're not voting for your bugs to be fixed.

      This. It's true lots of crash reports aren't acted on--it's also true that something like 5% of users generate 90%+ of crash reports. But they give great information on "this is affecting umpteen million people so we should fix it because it will save lots of man-years" or "someone's having a problem and we should see if any of the data we have will help us fix it."

    4. Re:Next! by Rich0 · · Score: 2

      Disabled on every machine I own, every machine I've deployed, every machine that I've been given the permission to manage.

      All the good stuff you posted aside, you're still just as vulnerable. This isn't just about you leaking info to the NSA about what you have installed, but it is also about everybody else leaking info to the NSA about the bugs in Windows in general. The NSA can use that to create zero-days, which will work perfectly fine against your version of Windows since it contains the same flaws even if you aren't personally reporting them to MS.

    5. Re:Next! by bmajik · · Score: 3, Informative

      fyi, I have personally analyzed WER crash dumps and used them to get the root causes fixed in the next update/release in multiple Microsoft products.

      (Dynamics AX and Visual Studio, if you're curious)

      We (Microsoft) not only look at WER data, we act on it.

      You are correct that it is often really hard to figure out what crazy thing happened, but we try anyway, and sometimes, we're able to figure it out and create fixes.

      As was mentioned elsewhere, WER data also tells us WHO is hitting a problem and how often it is being reported. That gives us valuable information about prioritizing WER responses.

      If you don't want to pay the perf/bandwidth penalty for collecting/uploading reports, that's understandable. But as mentioned elsewhere, you're abstaining from "voting" to have your issues looked at sooner/more thoroughly.

      Then, if you care about such things, there's the "social responsibility" aspect of it. I'd much rather we shipped perfect software, but we don't. WER is one of the best ways we can see issues that customers are hitting and get a sense of how painful they are for customers. If the goal is for MS to be less awful, WER is a key feedback mechanism to help us help you.

      It would be a shame if your environment produced just the right heap dump that let us understand an issue that was impacting millions of people... and it was locked on your machine. Not only would your abstention cost YOU, but it would cost everyone else as well.

      Is it your fault we ship bugs? Of course not. Would it help you, us, and millions of other people if you turned on WER? Probably.

      Thanks,
      Matt Evans
      Senior SDET, Visual Studio

      --
      My opinions are my own, and do not necessarily represent those of my employer.
    6. Re:Next! by bmajik · · Score: 2

      Rereading what I wrote, I should clarify this part

      WER data also tells us WHO is hitting a problem

      WER data doesn't tell us your personally identifiable information (name, email address, etc)

      What I meant by that is that it bucketizes crash reports according to different dimensions. User's language/locale, operating system revision, product binary version, etc.

      This is more valuable than you might think. It turns out that certain crashes only happen on certain languages, or that crashes happened shortly after release but stopped happening within a few weeks, or that no builds past revision xxx of a file matched the crash, etc.

      Any MS engineer that wants to access WER data has to deal with some legalese around customer PII, and the WER upload bundles are pre-processed before we ever get to see them.

      Resume panic :)

      --
      My opinions are my own, and do not necessarily represent those of my employer.
  6. Re:Not everything is about software security. by recoiledsnake · · Score: 5, Informative

    If you're really concerned about security on your individual systems, DONT USE WINDOWS. There, fixed it for ya.

    Ubuntu does the same, if not worse.
    https://launchpad.net/apport

    pport intercepts Program crashes, collects debugging information about the crash and the operating system environment, and sends it to bug trackers in a standardized form. It also offers the user to report a bug about a package, with again collecting as much information about it as possible.

    It currently supports

      - Crashes from standard signals (SIGSEGV, SIGILL, etc.) through the kernel coredump handler (in piping mode)
        - Unhandled Python exceptions
        - GTK, KDE, and command line user interfaces
        - Packages can ship hooks for collecting speficic data (such as /var/log/Xorg.0.log for X.org, or modified gconf settings for GNOME programs)
        - apt/dpkg and rpm backend (in production use in Ubuntu and OpenSUSE)
        - Reprocessing a core dump and debug symbols for post-mortem (and preferably server-side) generation of fully symbolic stack traces (apport-retrace)
        - Reporting bugs to Launchpad (more backends can be easily added)

    If you're really concerned about WER on Windows, just say no when it asks you to send crash reports.

    --
    This space for rent.
  7. Double edged sword by Kardos · · Score: 3, Insightful

    On one hand, it would be rather straightforward for Microsoft to push a patch to use encryption for these reports. On the other hand, now you are running closed source software that sends a bunch of data to Microsoft -- data that you can not inspect. When it is sent in the clear, at least you could sniff your traffic and see what Microsoft is getting. So with encrypted crash reports, you need to trust Microsoft more than now.

    MS Word crashed? Better send the docx file that caused the crash as well, it's not like the user(s) can call Microsoft out for it with encryption.

  8. Assumptions by WaffleMonster · · Score: 3, Insightful

    I'll admit to being surprised by this. I assumed Microsoft had the common sense to encrypt error reports especially given they contain at least partial contents of applications internal memory and would therefore assumed to be considered sensitive. The dialogues asking you to send certainly make this posture clear.

    In fact when I first read this the other day I was a bit confused as to how they (NSA) were getting this data...from Microsoft servers? It didn't even enter my mind these things were sent unencrypted and trivially pulled off the wire.

    While we normally have WER and associated scheduler task entries disabled there are still some machines we send the reports in the off-chance bugs get fixed...not anymore...sad.. inexcusable...

    This completes creates quite an interesting feedback loop imagine using QUANTUMINSERT to load malware or trigger crashes... if there is a problem or your not sure about the memory environment sit back and wait for the error report.

    1. Re:Assumptions by WaffleMonster · · Score: 2

      Reading more carefully dumps are encrypted yet certain summary data like memory offset and shared library crash occurred within are not.

  9. Re:Not everything is about software security. by recoiledsnake · · Score: 3, Informative

    But in ubuntu you can (and i do) turn it off!

    In Windows, it's turned off until you turn it on.

    --
    This space for rent.
  10. Re:Not everything is about software security. by icebike · · Score: 2

    Joe user will never find this, and some are sent silently with no clear ability to turn it off.
    Even TFA is vague about this, suggesting you route them to an internal server on your network.

    --
    Sig Battery depleted. Reverting to safe mode.
  11. USB rings bell, and they must know at once. by 140Mandak262Jamuna · · Score: 5, Funny

    As you can see, within seconds of connecting the new USB device to the computer, a report is sent to watson.microsoft.com in HTTP (clear text). This report includes a considerable amount of information that is URL encoded into the request. This information includes:

    Every time you plug in a device to USB port, a di-ding bell sounds. It is of utmost importance to Microsoft to know a bell has rung, so that it can promote an angel second class to angel first class with wings.

    See? There is an innocent explanation for it after all.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact