This Week in Security: Microsoft on Microsoft, Register Your Domains, Linux on ARM, and FreeBSD Joins the File Cache Club

Microsoft’s open source repositories on GitHub were automatically disabled after a supply chain attack involving the Miasma worm infected packages, affecting over 70 repositories, including many related to Azure.

According to OpenSourceMalware, the infection originated from the Microsoft Durabletask package, which was previously compromised in May and used to distribute malicious packages via PyPi. GitHub’s automated security system flagged and took down 73 repositories within minutes, aiming to contain the spread. The compromised repositories included over 40 related to Azure, disrupting build processes but preventing further infection.

In addition, Microsoft addressed a critical bug in GitHub’s embedded web-based VSCode editor that could allow attackers to exfiltrate user authentication tokens. Discovered by Ammar Askar, the vulnerability involved manipulating the sandboxed environment to install malicious extensions, risking account compromise.

Separately, security researcher Julian B identified an unregistered domain in TP-Link firmware that devices checked-in to, potentially exposing device traffic or control channels. After reporting the issue, Julian transferred the domain to TP-Link, but the full implications remain unclear.

OpenSSL released a set of vulnerabilities, including a high-severity use-after-free flaw in PKCS7 handling, which could allow remote code execution if exploited. Most applications are unlikely to be directly impacted, but users are advised to update promptly.

Finally, researcher NightmareEclipse, known for discovering Windows vulnerabilities, returned as MSNightmare, releasing exploits for Windows Defender race conditions and BitLocker bypasses, coinciding with Patch Tuesday. Microsoft initially threatened legal action but later softened its stance, reflecting ongoing tensions between researchers and vendors.

Impact of Supply Chain Attacks and Vulnerability Fixes

The infected repositories highlight the ongoing risks of supply chain attacks, which can disrupt development pipelines and compromise enterprise security. Microsoft’s quick response to fix the GitHub token vulnerability underscores the importance of proactive security measures. The return of NightmareEclipse and the disclosure of new Windows vulnerabilities illustrate the persistent challenge of balancing security research with vendor responses, influencing industry norms and policies.

Recent Trends in Security Incidents and Industry Responses

Supply chain attacks have surged in frequency, with recent incidents affecting major organizations like Microsoft. The Miasma worm’s targeting of Azure-related packages exemplifies the growing sophistication of malicious actors exploiting open source ecosystems. Concurrently, vulnerabilities in widely used libraries like OpenSSL and operating system components remain a constant threat, prompting ongoing updates and patches.

Security researchers continue to play a vital role, though tensions with vendors like Microsoft have surfaced, especially around disclosure practices. The return of NightmareEclipse signals a shift toward more aggressive research activities, despite earlier threats of legal action, reflecting evolving industry dynamics.

“The infection resulted in 73 repositories being flagged and taken offline within a little over a minute, aiming to contain the spread of the malicious packages.”

— OpenSourceMalware

Unresolved Questions and Ongoing Investigations

While the scope of the supply chain breach is partially documented, the full extent of compromised credentials and the potential long-term impact remain unclear. The precise risks posed by the unregistered TP-Link domain are also uncertain, as the full functionality and security implications are still under assessment. Additionally, the full range of vulnerabilities disclosed by OpenSSL and their exploitability in real-world scenarios are still being evaluated by security experts.

Next Steps for Security Teams and Vendors

Organizations should monitor repositories and update dependencies affected by the Microsoft supply chain incident. Microsoft and other vendors are expected to release further patches addressing disclosed vulnerabilities, including those in OpenSSL and Windows. Researchers like NightmareEclipse may continue to publish exploits, prompting vendors to accelerate mitigation efforts. Companies should also review their supply chain and IoT device security practices to prevent similar issues.

Key Questions

How did the Microsoft supply chain attack occur?

The attack involved the compromise of the Microsoft Durabletask package, which was infected and used to distribute malicious code via GitHub and PyPi, leading to the disabling of over 70 repositories.

What is the significance of the GitHub token vulnerability fix?

The fix prevents attackers from stealing authentication tokens via the embedded VSCode web interface, reducing the risk of account compromise.

Are TP-Link devices at risk from the unregistered domain issue?

The discovery indicates potential risks in device communication, but the full extent and impact are still being assessed by security researchers.

What should users do about the OpenSSL vulnerabilities?

Users should update their OpenSSL libraries as soon as patches are available to mitigate the risk of remote code execution or memory corruption.

Will Microsoft or other vendors release more patches soon?

Yes, security updates are expected following Patch Tuesday, and organizations should prepare to apply patches promptly.

Source: Hackaday