Websense reveals Windows Error Reporting vulnerable to hackers

Websense has revealed that Microsoft could be inadvertently leaking businesses vulnerability data to cybercriminals through Windows Error Reporting (WER).

Websense recently processed a sample data set from the Websense ThreatSeeker Intelligence Network revealing to investigate the security risk from popular applications and services.

WER, also known as Dr. Watson, predominantly sends out crash logs in the clear. According to Websense Security Labs, these error logs could be used by a threat actor as intelligence to craft specific attacks and compromise networks.

Crashes are especially useful for attackers since they may pinpoint a new exploitable code flaw for a zero-day attack.

"While reporting these crashes is beneficial for organisations in order to understand applications and crashes within their own network, we have found that WER is sending crash logs in the clear, causing attackers to identify vulnerable endpoints to infiltrate more advanced penetration within the system’s networks," said Carl Leonard, Senior Security Research Manager EMEA, Websense.

He added: "What is surprising though, is that without the organisation’s knowledge, information is automatically sent to WER every time a Window’s user connects a new USB device to a computer; information that would be of value to an attacker, causing organisations to be more prone to increased data leaks."

WER reports information that hackers commonly use to find and exploit weak systems, such as OS, service pack and update versions. It is utilised on 80% of network-connected PCs, equating to more than one billion endpoints worldwide.

Websense recommends services that report application telemetry and contain information about the security environment and underlying network infrastructure should be encrypted with SSL at a minimum, ideally using TLS 1.2

Leonard advised: "To protect organisations from these attacks we strongly recommend that companies create group policies to force encryption on all telemetry reports and monitor their network for inadvertent leaking of information."