Windows error report leaking data!!?
Kind of million dollor question. Let see what sceurity experts say:
Recent websense security labs report: http://community.websense.com/blogs/securitylabs/archive/2013/12/29/dr-watson.aspx
give serious notations on this topic.
Der Spiegel’s explains: The automated crash reports are a “neat way” to gain “passive access” to a machine, the presentation continues. Passive access means that, initially, the only data the computer sends out into the Internet is captured and saved, but the computer itself is not yet manipulated. Still, even this passive access to error messages provides valuable insights into problems with a targeted person’s computer and, thus, information on security holes that might be exploitable for planting malware or spyware on the unwitting victim’s computer. Microsoft has Windows Error Reporting (a.k.a. Dr. Watson) technology from Windows XP to later versions. Windows crash reports give up all kinds of information about your system, allowing them to know what software is installed on your PC, respective versions and whether the programs or OS have been patched.
Read more: http://thehackernews.com/2014/01/windows-error-crash-reports-or-treasure.html?_m=3n.009a.456.rw0ao05yro.9pr#
Noteable comments by the websense readers:
"Ryan Ries said on Sunday, December 29, 2013 5:54 PM
All of the data sent over the internet by WER is protected by SSL/TLS (up to v1.2 if available.) Your Wireshark capture demonstrates you sending traffic to an internal proxy, as evidenced by the 10.x.x.x source and destination addresses. NOT watson.microsoft.com. This information isn't sent over the internet in clear text.
AlexWatson said on Sunday, December 29, 2013 6:17 PM
@ Ryan - You are correct that the test network uses a proxy, but the use of a proxy does not affect whether HTTP or HTTPS is selected. The initial stage (Stage 1) that is shown above, and that we are discussing in this blog post is not encrypted. Stage 2-4 of Windows Error Reporting which can potentially contain personally identifiable information in a Dr. Watson minidump is encrypted with HTTPS.
From Microsoft at: technet.microsoft.com/.../cc709644(v=ws.10).aspx
Encryption: All report data that could include personally identifiable information is encrypted (HTTPS) during transmission. The software "parameters" information, which includes such information as the application name and version, module name and version, and exception code, is not encrypted.
Bernd said on Sunday, December 29, 2013 10:58 PM
Reads: "... USB device to the computer a report is sent to windows.microsoft.com - See more ..."
Should read: "... USB device to the computer a report is sent to watson.microsoft.com - See more ..."
AlexWatson said on Monday, December 30, 2013 12:26 PM
@Bernd- Thanks for point that out. Blog updated.
Alexander Hanff said on Tuesday, December 31, 2013 5:55 AM
See my discussion with Brendon Lynch regarding Windows Error Reports here:
www.alexanderhanff.com/nsa-obtain-microsoft-error-reports
John said on Wednesday, January 01, 2014 5:18 AM
System 8 uses ''Problem Reports and Solutions", the Dr Watson replacement. Same issues?
James said on Wednesday, January 01, 2014 5:29 PM
I think the bigger issue is ...Why does Microsoft need to collect if one billion endpoints use an iPhone (competitor) or not?
AlexWatson said on Friday, January 03, 2014 12:52 PM
@John- Windows 8 uses the same "Problem Reports and Solutions" telemetry application and format as Windows Vista and 7, but DOES enforce TLS encryption on all application crash and telemetry reports and is not vulnerable in this regard. Windows 8 telemetry is sent to watson.telemetry.microsoft.com for your reference."
Kind of million dollor question. Let see what sceurity experts say:
Recent websense security labs report: http://community.websense.com/blogs/securitylabs/archive/2013/12/29/dr-watson.aspx
give serious notations on this topic.
Der Spiegel’s explains: The automated crash reports are a “neat way” to gain “passive access” to a machine, the presentation continues. Passive access means that, initially, the only data the computer sends out into the Internet is captured and saved, but the computer itself is not yet manipulated. Still, even this passive access to error messages provides valuable insights into problems with a targeted person’s computer and, thus, information on security holes that might be exploitable for planting malware or spyware on the unwitting victim’s computer. Microsoft has Windows Error Reporting (a.k.a. Dr. Watson) technology from Windows XP to later versions. Windows crash reports give up all kinds of information about your system, allowing them to know what software is installed on your PC, respective versions and whether the programs or OS have been patched.
Read more: http://thehackernews.com/2014/01/windows-error-crash-reports-or-treasure.html?_m=3n.009a.456.rw0ao05yro.9pr#
Noteable comments by the websense readers:
"Ryan Ries said on Sunday, December 29, 2013 5:54 PM
All of the data sent over the internet by WER is protected by SSL/TLS (up to v1.2 if available.) Your Wireshark capture demonstrates you sending traffic to an internal proxy, as evidenced by the 10.x.x.x source and destination addresses. NOT watson.microsoft.com. This information isn't sent over the internet in clear text.
AlexWatson said on Sunday, December 29, 2013 6:17 PM
@ Ryan - You are correct that the test network uses a proxy, but the use of a proxy does not affect whether HTTP or HTTPS is selected. The initial stage (Stage 1) that is shown above, and that we are discussing in this blog post is not encrypted. Stage 2-4 of Windows Error Reporting which can potentially contain personally identifiable information in a Dr. Watson minidump is encrypted with HTTPS.
From Microsoft at: technet.microsoft.com/.../cc709644(v=ws.10).aspx
Encryption: All report data that could include personally identifiable information is encrypted (HTTPS) during transmission. The software "parameters" information, which includes such information as the application name and version, module name and version, and exception code, is not encrypted.
Bernd said on Sunday, December 29, 2013 10:58 PM
Reads: "... USB device to the computer a report is sent to windows.microsoft.com - See more ..."
Should read: "... USB device to the computer a report is sent to watson.microsoft.com - See more ..."
AlexWatson said on Monday, December 30, 2013 12:26 PM
@Bernd- Thanks for point that out. Blog updated.
Alexander Hanff said on Tuesday, December 31, 2013 5:55 AM
See my discussion with Brendon Lynch regarding Windows Error Reports here:
www.alexanderhanff.com/nsa-obtain-microsoft-error-reports
John said on Wednesday, January 01, 2014 5:18 AM
System 8 uses ''Problem Reports and Solutions", the Dr Watson replacement. Same issues?
James said on Wednesday, January 01, 2014 5:29 PM
I think the bigger issue is ...Why does Microsoft need to collect if one billion endpoints use an iPhone (competitor) or not?
AlexWatson said on Friday, January 03, 2014 12:52 PM
@John- Windows 8 uses the same "Problem Reports and Solutions" telemetry application and format as Windows Vista and 7, but DOES enforce TLS encryption on all application crash and telemetry reports and is not vulnerable in this regard. Windows 8 telemetry is sent to watson.telemetry.microsoft.com for your reference."
Source: websense lab and hackernews
No comments:
Post a Comment