Windows’ Reporting May Leak PC, Network Data

Routine error reports include critical data, sent, by default, in clear text.

Windows-based PCs may be broadcasting sensitive security information to hackers, competitors and other potential sources of threats to the PC’s owner, according to new report on the Windows Error Reporting crash-response software.

Windows Error Reporting (WER) is a crash-reporting and debugging system built into all versions of Windows since it was first introduced with Windows XP. It was designed to help debug applications and system software by recording error information into log files and preserving memory dumps containing information on the health of the system at the time an application or operating system crashed, to better help technicians decide afterward what had gone wrong.

One critical difference, according to a report published Dec. 29 by security software developer Websense, Inc., is that the old version left crash reports stored on the ailing PC’s hard drive unless the user designated a way to send it to Microsoft or another technical source for analysis.

WER, according to documentation from Microsoft, is now far more capable because it integrates a wide range of reporting, error-tracking and error-correction functions and is stable enough to gather critical data even when the system is in a condition that would have made it impossible for the older version to run.

It is also able to analyze crashes or specific errors and suggest ways to fix them automatically, or link the user to a support page at Microsoft that can provide advice or automated Fix-It repair apps users can download.

Though users can choose not to send any reports automatically, or limit the details in those that Windows sends, WER is set up by default to send error information automatically to both Microsoft and the developer of the application that generated the problem, according to Websense.

WER is also set up to report both errors and relatively routine incidents – the connection of a new USB device, for example – to Microsoft without encryption or any other mechanism to hide the information from prying eyes.

Just plugging in a new USB mouse automatically generates a report to Microsoft that includes the date, name of the manufacturer, number identifying the device and its version number, the default language, operating system, service pack and update version of the host computer, as well as the manufacturer, model, name, BIOS version and hardware ID number.

“While this information is no doubt critical for Microsoft to debug application crashes and hardware configurations, it can represent a significant information leak when it leaves an organization without being encrypted,” according to the report.

The threat of that information being intercepted may be relatively small to a large, IT-savvy organization, but WER doesn’t send information on just one machine from a large organization. Microsoft estimates 80 percent of Windows machines run WER, which makes 80 percent of the computers in an average company capable of reporting detailed information about changes made to it in clear text, several times per day.

Error reports on networked applications often include information about the network to which they’re connected, apps running on the machine, or server-based apps with which the PC is interacting and, sometimes, information about performance of the application on that network.

Using that data, “it is quite possible to quickly generate a representative model of a network,” giving potential attackers valuable clues about where and how both the corporate network and individual PCs might be vulnerable.

The solution is to simply not send out so much information, send it only to receivers known to and approved by the IT security organization and encrypt the data that is sent using SSL or TLS 1.2, according to Alexander Watson, director of security research at Websense.

Group Policies can be used to limit the information being sent and redirect WER reports to internal servers, for example. More fundamentally, IT support and security organizations should know what data Windows machines are trying to send and identify other applications, operating systems or devices with telemetry built in and turned on by default, then turn them off.

“Applications that report this information without encrypting data risk leaking information at multiple points,” Watson wrote. “This includes any upstream proxies, firewalls, and ISPs that are in between the corporate network and the destination as well as the application developer and their partner organizations.”