The Websense Security Labs has recently released significant research outlining how seemingly innocuous and routine “crash reports” by Microsoft may provide a complete blueprint for successful cyber-attacks.
The research reveals how Microsoft Error Reporting (known as Dr. Watson) is sending information in clear-text. By correlating the data, Websense has demonstrated how any attacker intercepting this data can create a precise blueprint of the target’s hardware and software network, which can be used to create tailored attacks with a high probability of success.
Clear-text application telemetry data can provide cybercriminals with the make and model of every PC on the corporate network, the specific machine ID of these, the exact operating system on each PC (to the specific update and service pack), the BIOS version of the computer, all browsers (and their versions, extensions, apps and plug-ins) on these devices and a list of every application and their versions installed on the computer.
Using this newly discovered methodology, any attacker can gain intelligence that lets them know exactly whom to target and what exploit to unleash upon enterprise and public sector companies.
Carl Leonard, Senior Security Research Manager EMEA, IT security firm Websense made the following comments:
We recently investigated the security risks associated with popular applications and found that the enterprise and public sector are reporting crash logs and inadvertently leaking data which cyber criminals are using to create tailored cyber-attacks.
While reporting these crashes is beneficial for organisations in order to understand applications and crashes within their own network, we have found that Windows Error Reporting (WER) is sending crash logs in the clear, causing attackers to identify vulnerable endpoints to infiltrate more advanced penetration within the system’s networks.
What is surprising though, is that without the organisation’s knowledge, information is automatically sent to WER every time a Window’s user connects a new USB device to a computer; information that would be of value to an attacker, causing organisations to be more prone to increased data leaks.
To protect organisations from these attacks we strongly recommend that companies create group policies to force encryption on all telemetry reports and monitor their network for inadvertent leaking of information.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.