nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Microsoft says: Lock down your software supply chain before the malware scum get in

Silver badge

So ultraedit ehhh?

The problem here is apps are not properly containerized, andand can do basically anything..as if they were almost root. They do no need to change the system if they can pervert other apps...and here lies the design flaw!!

0
0
Silver badge

Re: So ultraedit ehhh?

I was thinking Notapad++.

Inquiring minds would like to know ! Cmon El Reg name the editor, I am sure you already know ..

1
0
LDS
Silver badge

Re: So ultraedit ehhh?

There is an upper limit for containerizing applications, after which they become useless, especially when they aren't simple, wholly self-contained applications, and need to interact with the rest of the system. An installer, by definition, needs to modify the system. There are ways to improve the security of installers, but there are also many bad developers who do their best to cripple security. For example update services running as LocalSystem are enormously dangerous, if you can trick them to execute whatever you like. If you take that dangerous road, it's your responsibility to secure the chain fully, and properly. Still, other morons are lured into thinking that SecureBoot and code signing are the spawn of Satan (many only because they fear it makes wharez harder, yes, yes, it's all about running your own distro of Linux, not pirated games...), and yes, it adds complexity to your deployment workflow. Also, financial/payment companies (and not only them) should not really allow for non-approved updates downloaded directly from outside, they should be manged internally. Yes, more work to do....

0
0
LDS
Silver badge

Re: So ultraedit ehhh?

AFAIK Notepad++ doesn't install a service to download updates, it checks on startup. ue.exe looks like pointing at something like UltraEdit - but who knows?

1
0
Silver badge
Facepalm

Re: So ultraedit ehhh?

Come on, its bound to be an Adobe package! They love running their own updater process at start up.

3
0
Silver badge

Microsoft Store?!

After reading the rather informative Security Advisory, I can't help but think that MS marketing will seize this as another reason for locking things down further and insisting that all Windows software needs to be distributed and updated via the MS Store...

3
1
Bronze badge
Coffee/keyboard

Re: Microsoft Store?!

Sounds reasonable - Apple does it - right?

0
0

The only editor in a proper china cup...

I'm glad I use vi - or vim, if it's a Billyware box. No vulnerabilities.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing