Amid the revelation that attackers can use Windows crash data reports to conduct targeted attacks, does it make...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
sense to implement a mitigation via Group Policy?
Many software vendors include in their applications the ability to collect and receive crash data if or when their program stops working. In the early days of the Windows operating system, a program crash often resulted in the "blue screen of death," but nowadays most applications handle such situations much more effectively, often advising the user that a problem has occurred and that the application will be restarted.
In an effort to eradicate the same problem from future versions of the program, some applications give users the option of sending crash data details to the vendor. The information captured at the time of the crash, along with information about the operating environment, can be used by technical support personnel to diagnose the program error. Microsoft's Windows Error Reporting, or WER, uses an application debugger called Dr. Watson, a default feature in the operating system that is used by approximately 80% of all networked PCs.
Alarmingly, many applications -- including those from Microsoft according to Websense Security Labs -- transmit this data in cleartext without encrypting what can be quite sensitive information, such as the make and model of the machine, BIOS version, ID and installed applications. This data potentially could be used by hackers to discover new zero-day exploits and profile targeted machines to find exploitable vulnerabilities.
To make use of this information, an attacker would first have to obtain it -- but how?
According to a report by German publication Der Spiegel, an elite team of NSA hackers called the Tailored Access Operations unit may be using the NSA's XKeyscore spy tool to grab Windows crash data from the Internet traffic it captures. Undoubtedly, malicious hackers will follow suit.
While crash reports play an important role in helping vendors improve the stability and security of their products, they should never put users' systems at risk. Enterprises should, in my opinion, turn off automatic crash reporting via Group Policy. While it may help a vendor fix or improve its software, it is basically a free form of application testing. Not encrypting crash data -- often referred to as application telemetry -- is a poor and dangerous practice, as it risks leaking sensitive information to various third parties, including Internet service providers and application developers. Even if the data is encrypted prior to transmission, it consumes precious bandwidth and slows the application's restart. Also, there is no knowing how the data will be secured and handled once it has been transmitted to the vendor. Sure, sharing information to improve the Internet and the applications we use is important, but not if it threatens a network and its users' overall security.
Ask the Expert!
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now! (All questions are anonymous.)
Dig Deeper on Network Behavior Anomaly Detection (NBAD)
Related Q&A from Michael Cobb
An old Java vulnerability was discovered to have been ineffectually patched. Expert Michael Cobb explains how this happened and what can be done to ...continue reading
Google's Certificate Transparency tool publicly logs certificates issued by CAs. Expert Michael Cobb explains how the log viewer works to improve ...continue reading
Crowning the most secure web browser is difficult, with research often turning up biased results. Expert Michael Cobb explains how to make a choice ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.