back to article Microsoft says: Lock down your software supply chain before the malware scum get in

Microsoft's security team is urging developers to shore up their software update systems – after catching miscreants hijacking an editing application's download channels to inject malware into victims' PCs. In a security advisory, Redmond's infosec gurus describe Operation WilySupply: their mission to find, isolate and destroy …

  1. Aitor 1

    So ultraedit ehhh?

    The problem here is apps are not properly containerized, andand can do basically anything..as if they were almost root. They do no need to change the system if they can pervert other apps...and here lies the design flaw!!

    1. Khaptain Silver badge

      Re: So ultraedit ehhh?

      I was thinking Notapad++.

      Inquiring minds would like to know ! Cmon El Reg name the editor, I am sure you already know ..

      1. Anonymous Coward
        Anonymous Coward

        Re: So ultraedit ehhh?

        AFAIK Notepad++ doesn't install a service to download updates, it checks on startup. ue.exe looks like pointing at something like UltraEdit - but who knows?

    2. Anonymous Coward
      Anonymous Coward

      Re: So ultraedit ehhh?

      There is an upper limit for containerizing applications, after which they become useless, especially when they aren't simple, wholly self-contained applications, and need to interact with the rest of the system. An installer, by definition, needs to modify the system. There are ways to improve the security of installers, but there are also many bad developers who do their best to cripple security. For example update services running as LocalSystem are enormously dangerous, if you can trick them to execute whatever you like. If you take that dangerous road, it's your responsibility to secure the chain fully, and properly. Still, other morons are lured into thinking that SecureBoot and code signing are the spawn of Satan (many only because they fear it makes wharez harder, yes, yes, it's all about running your own distro of Linux, not pirated games...), and yes, it adds complexity to your deployment workflow. Also, financial/payment companies (and not only them) should not really allow for non-approved updates downloaded directly from outside, they should be manged internally. Yes, more work to do....

    3. Paul Crawford Silver badge
      Facepalm

      Re: So ultraedit ehhh?

      Come on, its bound to be an Adobe package! They love running their own updater process at start up.

  2. Roland6 Silver badge

    Microsoft Store?!

    After reading the rather informative Security Advisory, I can't help but think that MS marketing will seize this as another reason for locking things down further and insisting that all Windows software needs to be distributed and updated via the MS Store...

    1. JCitizen
      Coffee/keyboard

      Re: Microsoft Store?!

      Sounds reasonable - Apple does it - right?

  3. MarkSitkowski

    The only editor in a proper china cup...

    I'm glad I use vi - or vim, if it's a Billyware box. No vulnerabilities.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like