Websense reveals Windows Error Reporting vulnerable to hackers


by Claire Vanner| 03 January 2014

Windows' Dr Watson programme inadvertently leaks business data in crash logs.

Websense has revealed that Microsoft could be inadvertently leaking businesses vulnerability data to cybercriminals through Windows Error Reporting (WER).

Websense recently processed a sample data set from the Websense ThreatSeeker Intelligence Network revealing to investigate the security risk from popular applications and services.

WER, also known as Dr. Watson, predominantly sends out crash logs in the clear. According to Websense Security Labs, these error logs could be used by a threat actor as intelligence to craft specific attacks and compromise networks.

Crashes are especially useful for attackers since they may pinpoint a new exploitable code flaw for a zero-day attack.

"While reporting these crashes is beneficial for organisations in order to understand applications and crashes within their own network, we have found that WER is sending crash logs in the clear, causing attackers to identify vulnerable endpoints to infiltrate more advanced penetration within the system's networks," said Carl Leonard, Senior Security Research Manager EMEA, Websense.

He added: "What is surprising though, is that without the organisation's knowledge, information is automatically sent to WER every time a Window's user connects a new USB device to a computer; information that would be of value to an attacker, causing organisations to be more prone to increased data leaks."

WER reports information that hackers commonly use to find and exploit weak systems, such as OS, service pack and update versions. It is utilised on 80% of network-connected PCs, equating to more than one billion endpoints worldwide.

Websense recommends services that report application telemetry and contain information about the security environment and underlying network infrastructure should be encrypted with SSL at a minimum, ideally using TLS 1.2

Leonard advised: "To protect organisations from these attacks we strongly recommend that companies create group policies to force encryption on all telemetry reports and monitor their network for inadvertent leaking of information."

Post a comment

Comments may be moderated for spam, obscenities or defamation.
Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.