when someone bad Software Updates From security firm CrowdStrike Inadvertently causing digital chaos across the world Last month, its first signs were seen in Windows computers blue screen of death. as to the website and services went down And as people rushed to understand what was happening, contradictory and incorrect information was everywhere. Rushing to understand the crisis, longtime Mac security researcher Patrick Wardle knew there was one place he could get the facts: crash reports from computers affected by the bug.
“Even though I’m not a Windows researcher, I was shocked by what was happening and the lack of information,” Wardle told WIRED. “People were saying it was a Microsoft problem because Windows systems were blue-screening and there were a lot of wild theories. But it really had nothing to do with Microsoft. So I went to look at the crash reports, which I think is the ultimate truth. And if you looked there you were able to figure out the underlying cause long before CrowdStrike came along and told us it was happening.”
At the Black Hat security conference in Las Vegas on Thursday, Wardle argued that crash reports are an underutilized tool. Such system snapshots give software developers and maintainers insight into potential problems in their code. And Wardle emphasized that they can be a source of information, especially about potentially exploitable vulnerabilities in software — for both defenders and attackers.
In his speech, Wardle presented several examples of vulnerabilities found in software when an app crashed and he scoured the reports looking for a possible cause. Users can easily view their crash reports on Windows, macOS, and Linux, and they’re also available on Android and iOS, though accessing them on mobile operating systems can be more challenging. Wardle notes that to get information from crash reports, you need a basic understanding of instructions written in low-level machine code known as assembly, but he emphasizes that the payoff is worth it.
In his Black Hat talk, Wardle presented several vulnerabilities he discovered by examining crash reports on his device — including bugs in the analysis tool YARA and the current version of Apple’s macOS operating system. In fact, when Wardle discovered in 2018 that a An iOS bug caused the app to crash whenever the Taiwanese flag emoji was displayedUsing the accident report, they attempted to get to the bottom of what had happened.
“We conclusively revealed that Apple had caved in to China’s demands to censor the Taiwanese flag, but there was a bug in their censorship code — ridiculous,” he said. “My friend who initially saw it was like, ‘My phone is being hacked by the Chinese. It crashes whenever you text me. Or are you hacking me?’ And I said, ‘Rude, I wouldn’t hack you. And also, Rude, if I hacked you, I wouldn’t crash your phone.’ So I pulled up the crash reports to find out what was going on.”
Wardle emphasizes that if he can find so many vulnerabilities by looking at his and his friends’ device crash reports, software developers should look there too. Sophisticated criminal actors and well-funded state-backed hackers are probably already getting ideas from their crash reports. Over the past few years, news reports have indicated that intelligence agencies have been using the technology to hack into devices. Like the US National Security Agency Mine the crash logs. Wardle points out that crash reports are also a valuable source of information for detecting malware, as they can reveal unusual and potentially suspicious activity. Notorious Spyware Broker NSO GroupFor example, malware often has built-in mechanisms to delete crash reports immediately after a device is infected. And the fact that malware often contains bugs makes crashes more likely, and crash reports are also valuable to attackers to understand what went wrong in their code.
“The truth comes out in the accident report,” says Wardle. “Or, I guess, the truth is on the inside.”
