This sounds like a remarkably alarming warning: as many as 1 billion networked PCs around the world are allegedly at risk because Windows Error Reporting (aka Dr. Watson) sends its report in the clear. And those reports do include machine type, OS, version of OS, which system packs have been installed and so on. All of the information that a hacker usually is interested in to see what tools, if any, he will need to be able to access the machine.
The warning comes from Websense:
Websense® Security Labs™ recently processed a sample data set from the Websense ThreatSeeker® Intelligence Network to investigate the security risk from popular applications and services. We determined enterprise and public sector networks are inadvertently leaking information, which could be used by a threat actor as intelligence to craft specific attacks and compromise networks.
One troubling thing we observed is Windows Error Reporting (a.k.a. Dr. Watson) predominantly sends out its crash logs in the clear. These error logs could ultimately allow eavesdroppers to map out vulnerable endpoints and gain a foothold within the network for more advanced penetration. Here’s more on why that’s a concern:
80 percent of all network-connected PCs use it – that’s more than one billion endpoints worldwide
Dr. Watson reports information that hackers commonly use to find and exploit weak systems such as OS, service pack and update versions
Crashes are especially useful for attackers since they may pinpoint a new exploitable code flaw for a zero-day attack
Information is also sent for common system events like plugging in a USB device
Now it is true that this information is hugely valuable to Microsoft Microsoft and also to the rest of us. For it’s what is used to try and make the operating system, Windows, work better over time and given the number of us that still use it that’s a highly desirable outcome.
However, there are a number of problems with it being sent in clear. For a start, anyone gaining access to that flow of information obviously has a great deal of information about where Windows is currently failing. That’s a great start to finding the vulnerabilities and flaws that allow the design of exploits.
It’s not entirely simple to gain access to that error reporting traffic but it most certainly can be done with a variety of man in the middle methods. Or, more importantly, if, just as an example of something unlikely, a spy agency had fibreoptic links into the backbone it could deliberately sniff for such traffic. And this would give it a lovely database of those machines that haven’t been updating their service packs and thus have known vulnerabilities.
It’s a rather large and gaping hole that much of this traffic is moving unencrypted. Websense don’t suggest not sending the reports of course: the improvements that come from the information are too valuable for that. However, they do suggest that computers on any network should be sending their reports to a local server, within the network, there to be encrypted before being sent off to Microsoft.
