January 3, 2014

Q&A: Windows Error Reporting Could Inadvertently Aid Cybercriminals

Alexander Watson

We recently released significant research detailing what information cybercriminals can gain with access to clear text telemetry reports from widely deployed applications, such as Windows Error Reporting (WER). Armed with this intelligence, attackers can map a precise blueprint of the target’s hardware and software network, which can be used to create tailored attacks with a high probability of success.

A few folks have asked questions, including how often these reports are generated and how they might be intercepted. Below I have provided additional insight.

What is Windows Error Reporting?

Windows Error Reporting (WER) is a crash reporting technology introduced by Microsoft with Windows XP and features fully automated reporting (opt-out for some features) in Windows Vista, Windows 7 and Windows 8. The program kicks in when it detects a problem with a piece of software or hardware, such as an application crash. To improve Microsoft products, a bug/crash report is sent back to Redmond.

Websense research indicates that WER in Windows XP, Windows Vista and Windows 7 sends specific information about applications, services and hardware, with the first stage of reporting commonly being sent in HTTP clear-text. Windows 8 sends data in the same format but uses industry best practices with TLS encryption for all data. While we are all familiar with the application crash report that prompts users to share details with Microsoft, other automated (opt-out) reports include events such as failed application updates and USB device insertions. A large percentage of these reports are sent in http clear-text to Microsoft, which risks exposure of highly detailed software and hardware architecture information to attackers. Follow-on reporting stages, that provide additional information such as application crash mini-dumps that may contain PII (personally identifiable information), are always encrypted using SSL/TLS.

What types of intelligence do these reports show?

Application telemetry data is commonly unencrypted and can provide cybercriminals with the following intelligence over time:

  • The make and model of every PC on the corporate network
  • A list of every application and their versions installed on the computer
  • The specific machine ID of every computer
  • The operating system, service pack and updates installed
  • The BIOS version of the computer
  • All browsers (and their versions, extensions, apps and plug-ins) on these devices
  • A detailed breakout of every USB device that has been plugged into enterprise computers, version information and details about the PC it is connected to

Why does this matter to you?

Microsoft estimates that up to 80 percent of all network connected PCs use WER. That's more than one billion endpoints worldwide. These reports are incredibly valuable to Microsoft and other application vendors to ensure quality of their products. Secondly, it is our hope that with increased awareness, IT security teams will be able to harness these reports to learn more about their own networks. On the flip side, WER provides the same key information that hackers search for to identify and exploit vulnerable systems such as OS, service pack and update versions. Crash information is useful for both attackers and the security community as they may pinpoint a new exploitable code flaw for a zero-day attack.

How can cybercriminals access these reports?

On the Websense Security Labs blog, we have documented the type of in-depth system profiling that is possible from these clear text reports. Information is the most vulnerable when it is in transit to Microsoft, passing through various appliances and ISPs. Below are two ways that an attacker could possibly get access to this information:

  1. Collect the data upstream from the target – most likely at an Internet Service Provider (ISP) that is not trusted. This threat is particularly risky for large organizations with a multi-national footprint.
  2. Third-party security vendors, security appliances and browser plug-ins may collect and report this information independently.
  3. The first scenario is perhaps the most worrisome because it occurs well off-premise.

How often are crash reports generated?

If you are interested in how many times your PC has recently generated crash reports, open up Control Panel -> System and Security -> Action Center -> Problems and Reports.

As I mentioned in the original Websense Security Labs blog, Windows Error Reporting reports are generated by more than just crash activity. Our analysis indicates that approximately 620 million WER reports traverse our customers’ infrastructure each year.

To answer this question more accurately, we examined the WER reports of several thousand enterprise-level data sets. For a 300 person company, this translates into 1,410 reports per month, or 47,000 reports monthly for a 10,000 person company. That’s enough information for hackers, with access to these reports, to generate an accurate blueprint of the software operating systems, versions and hardware architecture of the organization. No network active scanning required.

How can I keep my information safe?

Clearly, this is a serious business issue for some organizations. Below are the tips I provided in my original blog post.

We recommend services that report application telemetry and contain information about the security environment and underlying network infrastructure should be encrypted with SSL at a minimum, ideally using TLS 1.2 (http://tools.ietf.org/html/rfc5246). Applications that report this information without encrypting data risk leaking information at multiple points. This includes any upstream proxies, firewalls, and ISPs situated in-between the corporate network and the destination as well as the application developer and their partner organizations.

In the case of Microsoft Error Reporting and other popular application telemetry reporting systems, Websense recommends that organizations set group policies (when possible) to force encryption on all telemetry reports and periodically audit their own network and applications for inadvertent leaking of information with security implications.

As part of a comprehensive security strategy, it is important that organizations understand the data contained in application telemetry reports and the level of controls used to protect metadata. All of this can impact an organization's security posture. Websense TRITON® web, email and data security provides multiple levels of protection against advanced threats including those tailored specifically to customer environments. If you are interested in learning more about the Seven Stages of Advanced Threats, take a few minutes to watch an archived webinar about the seven stages for advanced threats and data theft, why current defenses fail, and which defense layers you should use to protect your network, resources, and data.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.