Amid the revelation that attackers can use Windows crash data reports to conduct targeted attacks, does it make sense to implement a mitigation via Group Policy?
Many software vendors include in their applications the ability to collect and receive crash data if or when their program stops working. In the early days of the Windows operating system, a program crash often resulted in the "blue screen of death," but nowadays most applications handle such situations much more effectively, often advising the user that a problem has occurred and that the application will be restarted.
In an effort to eradicate the same problem from future versions of the program, some applications give users the option of sending crash data details to the vendor. The information captured at the time of the crash, along with information about the operating environment, can be used by technical support personnel to diagnose the program error. Microsoft's Windows Error Reporting, or WER, uses an application debugger called Dr. Watson, a default feature in the operating system that is used by approximately 80% of all networked PCs.
Alarmingly, many applications -- including those from Microsoft according to Websense Security Labs -- transmit this data in cleartext without encrypting what can be quite sensitive information, such as the make and model of the machine, BIOS version, ID and installed applications. This data potentially could be used by hackers to discover new zero-day exploits and profile targeted machines to find exploitable vulnerabilities.
To make use of this information, an attacker would first have to obtain it -- but how?
According to a report by German publication Der Spiegel, an elite team of NSA hackers called the Tailored Access Operations unit may be using the NSA's XKeyscore spy tool to grab Windows crash data from the Internet traffic it captures. Undoubtedly, malicious hackers will follow suit.
While crash reports play an important role in helping vendors improve the stability and security of their products, they should never put users' systems at risk. Enterprises should, in my opinion, turn off automatic crash reporting via Group Policy. While it may help a vendor fix or improve its software, it is basically a free form of application testing. Not encrypting crash data -- often referred to as application telemetry -- is a poor and dangerous practice, as it risks leaking sensitive information to various third parties, including Internet service providers and application developers. Even if the data is encrypted prior to transmission, it consumes precious bandwidth and slows the application's restart. Also, there is no knowing how the data will be secured and handled once it has been transmitted to the vendor. Sure, sharing information to improve the Internet and the applications we use is important, but not if it threatens a network and its users' overall security.
Ask the Expert!
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now! (All questions are anonymous.)
Dig deeper on Network Behavior Anomaly Detection (NBAD)
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.