Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/4/2021
06:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Microsoft Source Code Exposed: What We Know & What It Means

Microsoft says there is no increase in security risk; however, experts say access to source code could make some steps easier for attackers.

Microsoft confirmed last week that attackers were able to view some of its source code, which it found during an ongoing investigation of the SolarWinds breach. While its threat-modeling approach mitigates the risk of viewing code, many questions remain that could determine the severity of this attack. 

Related Content:

CISO New Year's Resolutions for 2021

How Data Breaches Affect the Enterprise

New From The Edge: Homomorphic Encryption: The 'Golden Age' of Cryptography

In a blog post published on Dec. 31, 2020, officials said Microsoft has not found evidence of access to production services or customer data, nor has it discovered that its systems were used to attack other companies. The company has not found indications of common tactics, techniques, and procedures (TTPs) linked to abuse of forged SAML tokens against its corporate domains. 

It did find an internal account had been used to view source code in "a number of code repositories," according to the blog post, from the Microsoft Security Response Center (MSRC). This activity was unearthed when investigators noticed unusual activity with a small number of internal accounts, the post explains, and the affected account didn't have permissions to change any code or engineering systems. The accounts were investigated and remediated, officials noted. 

The news began to generate attention in the security community, and with good reason: Microsoft's software is among the most widely deployed in the world, and organizations of all sizes rely on the company's products and services. It's an appealing target, in particular among advanced attackers like those behind the SolarWinds incident.

"It's something they can't access themselves, and there's a lot of assumption that there's super-secret things there that are going to compromise [their] security," says Jake Williams, founder and president of Rendition Infosec, regarding why businesses might understandably panic at the news.

While it's certainly concerning, and we don't know the full extent of what attackers could see, Microsoft's threat-modeling strategy assumes attackers already have some knowledge of its source code. This "inner source" approach adopts practices from open source software development and culture, and it doesn't rely on the secrecy of source code for product security.

"There are a lot of software vendors, and security vendors, that rely on the secrecy of their code to ensure security of applications," Williams explains. Microsoft made a big push for secure software development in Windows Vista. It didn't make the decision to open source the code but designed it with the assumption that could possibly happen someday. Source code is viewable within Microsoft, and viewing the source code isn't tied to heightened security risk.

"If the code is all publicly released, there should not be new vulnerabilities discovered purely because that occurs," Williams adds.

Microsoft's practice isn't common; for most organizations, the process of adopting the same approach and revamping their existing code base is too much work. However, Microsoft is a big enough target, with people regularly reverse engineering its code, that it makes sense. 

While attackers were only able to view the source code, and not edit or change it, this level of access could prove helpful with some things — for example, writing rootkits. Microsoft, which did not provide additional detail for this story beyond its blog post, has not confirmed which source code was accessed and how that particular source code could prove helpful to an attacker.

It's one of many questions that remain following Microsoft's update. What have the attackers already seen? Where was the affected code? Were the attackers able to access an account that allowed them to alter source code? There is still much we don't know regarding this intrusion.

This "inner source" approach still creates risk, writes Andrew Fife, vice president of marketing at Cycode, in a blog post on the news. Modern applications include microservices, libraries, APIs, and SDKs that often require authentication to deliver a core service. It's common for developers to write this data into source code with the assumption only insiders can see them.

"While Microsoft claims their 'threat models assume that attackers have knowledge of source code,' it would be far more reassuring if they directly addressed whether or not the breached code contained secrets," he writes. In the same way source code is a software company's IP, Fife adds, it can also be used to help reverse engineer and exploit an application.

This is an ongoing investigation, and we will continue to provide updates as they are known. In the meantime, Williams advises organizations to continue applying security patches as usual and stick with the infosec basics: review trust relationships, check your logging posture, and adopt the principles of least privilege and zero trust.

"Supply chain attacks are really difficult to defend against, and it really comes back to infosec foundations," he says. "If your model of protecting against an attack is 'give me an indicator of compromise and I will block that indicator,' that's '90s thinking."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28488
PUBLISHED: 2021-01-22
This affects all versions of package jquery-ui; all versions of package org.fujion.webjars:jquery-ui. When the "dialog" is injected into an HTML tag more than once, the browser and the application may crash.
CVE-2021-22847
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1's API fail to filter POST request parameters. Remote attackers can inject SQL syntax and execute commands without privilege.
CVE-2021-22849
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1 backend editing function does not filter special characters. Users after log-in can inject JavaScript syntax to perform a stored XSS (Stored Cross-site scripting) attack.
CVE-2020-8567
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
CVE-2020-8568
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...