Exetools - Dr. Watson Gets an Extreme Makeover

** Dr. Watson Gets an Extreme Makeover
From SecurityWatch [[email protected]]

* Privacy

Microsoft Chairman and Chief Software Architect Bill Gates said at a recent conference that Microsoft is enhancing the features of the "Dr.
Watson" error reporting tool. Dr. Watson has been part of the Windows operating system since the inception of Windows NT more than 12 years ago. As with other features in the operating system, Microsoft plans to extend the granularity of Dr. Watson's controls to allow consumers to send data in context, rather than just as a memory image. Further, consumers will be able to decide what data will be sent to Microsoft and selected third-party software vendors.

When an application crashes today, Dr. Watson typically stores a dump of the entire memory image, together with specific details about the application that crashed. If, for example, Outlook crashes while an e- mail's being created, the data contained in the e-mail up to that point is part of the memory image. The consumer has no way of removing it, although he can decide not to send the entire image. In the future version, you'll be able to clear out the data in that e-mail and still send the balance of the memory image to Microsoft for inspection.

Microsoft has realized that in order to make better use out of the data it receives when a crash occurs, it needs additional information, such as what other programs were running, what other data was in memory, the status of Registry keys and so on. Consumers will have the ability to choose what data to share -- and what not to share -- with Microsoft.
Corporations will be able to control these details through a Group Policy Object.

Privacy advocates aren't going to like this new change in the functionality of Dr. Watson, since the vast majority of consumers won't be able to navigate through the volumes of data to make informed decisions as to what they don't want to send. Microsoft has said the data will be submitted anonymously, but it's hard to see how a submission will be useful to the person who submits it if it's done completely anonymously.

Further, in a corporate environment, the fact that significant and potentially confidential data would be transmitted automatically across the network due to an application crash may lead to an entirely new type of Denial of Service attack. If it's possible to crash a machine at precisely the right time, then intercept or eavesdrop on the Dr.
Watson dump transfer, the attacker could obtain whatever was in memory at the time of the crash.

Currently, Automatic Error Reporting yields little useful information for the consumer whose application has just crashed. This new information and greater detail may help Microsoft understand the failures better, but in reality it makes everyone a beta tester. This will likely become a popular feature to turn off, except possibly on developers' systems. Also, imagine the overhead requirements to keep such data available for dumping during a crash -- it will likely be significant.