Microsoft Discovers Supply Chain Attack at Unnamed Maker of PDF Software (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Microsoft Discovers Supply Chain Attack at Unnamed Maker of PDF Software (bleepingcomputer.com)

Posted by msmash on Thursday July 26, 2018 @08:02AM from the security-woes dept.

Microsoft said today that hackers compromised a font package installed by a PDF editor app and used it to deploy a cryptocurrency miner on users' computers. From a report: The OS maker discovered the incident after its staff received alerts via the Windows Defender ATP, the commercial version of the Windows Defender antivirus. Microsoft employees say they investigated the alerts and determined that hackers breached the cloud server infrastructure of a software company providing font packages as MSI files. These MSI files were offered to other software companies. One of these downstream companies was using these font packages for its PDF editor app, which would download the MSI files from the original company's cloud servers during the editor's installation routine.

31 comments

Min score:

Reason:

Sort:

comic sans? by Anonymous Coward · 2018-07-26 08:15 · Score: 2, Funny

was it comic sans?
FoxIt! by Anonymous Coward · 2018-07-26 08:24 · Score: 0

TrumpTvIt! Bad girls. Sad girls/ Talking bout.
Guess that is why I prefer by oldgraybeard · 2018-07-26 08:43 · Score: 1

To download full local install packages with their check sums. And that these cloud based (internet required) apps are great to force the continuous subscription profit model but not so secure or great for the end user.

Just my 2 cents ;)
Sychronicity by theCat · 2018-07-26 08:44 · Score: 2

I was just this morning taking a security course required by my employer where they were stressing the importance of securing the supply chain.
Oh and by-the-way, I think there must be some kind of quantum nature to all these exploits. And maybe if we would just stop looking for them, they would not come into existence at all and their eigenvalues would remain undefined. Worth a shot.
Okay back to your regularly scheduled illusion.

--
=^..^= all your rodent are belong to us
1. Re:Sychronicity by Trax3001BBS · 2018-07-26 15:42 · Score: 1
  
  I was just this morning taking a security course required by my employer where they were stressing the importance of securing the supply chain.
  Microsoft is an arrogant bunch, and take no notice of a situation not theirs.
  This exact thing happened two years ago to Linux Mint https://www.zdnet.com/article/...
  And the time my Email address became public domain.
Since when... by muecksteiner · 2018-07-26 09:02 · Score: 1

...is it considered even remotely acceptable that downloading an (expletive deleted) font package puts you at risk of malware installation? Which parallel universe does one have to be in to not immediately send the person in charge of security for this product to the Uranium mines?
Oh, wait, this is Windows we are talking about. All good, move on, nothing new to see here.
1. Re:Since when... by Anonymous Coward · 2018-07-26 13:38 · Score: 0
  
  ...is it considered even remotely acceptable that downloading an (expletive deleted) font package puts you at risk of malware installation?
  Since a long, long time. And lots of website designers now depend on embedded fonts that your browser downloads and uses. It's a wonderful exploitation method.
  Oh, wait, this is Windows we are talking about. All good, move on, nothing new to see here.
  Actually, font exploits have been found for lots of platforms, including the mac.
  Which is why designing your website to rely on downloaded fonts is a terrible idea (since any sane person will block font downloads in their web browser). And yet the embedded font monstrosity continues...
2. Re:Since when... by barbariccow · 2018-07-26 14:25 · Score: 1
  
  That doesn't mean that downloading fonts needs to execute code. That is stupid. What's wrong with fetching a zip of dumb font files? There's no execution vector, except that Microsoft gives them one. And you're right, this has been known about for a very long time, and yet still windows will download and execute executable sections of code to install a fucking font. The font itself is not the problem here.
3. Re:Since when... by Anonymous Coward · 2018-07-27 02:58 · Score: 0
  
  If you have a slightly longer memory you'll remember the vuln in the graphite library that allowed an arbitrary web page or a document to send/embed/load a malicious font and gain remote code execution on Linux in OpenOffice or Firefox.
  Windows is the only platform with security vulnerabilities. You keep believing that.
4. Re:Since when... by Anonymous Coward · 2018-07-27 03:01 · Score: 0
  
  Dumb Vector font files aren't dumb. They contain a complex turing-complete language that describes the operations required to draw the font, and since you are executing code in that language supplied by a malicious actor it is non-trivial to keep that code secure.
Enjoy your downmod... apk by Anonymous Coward · 2018-07-26 09:47 · Score: 0

See subject: Did I miss it OR does the source article NOT say a thing about the hosts file? My program protects vs. exploits of the hosts file (in Windows it protects above & BEYOND WFP/SFP window has natively + it protects hosts by applying read-only (NOT exclusive locking which may mess up other things) every 500ms to hosts so NOTHING in usermode can 'break thru' to corrupt it).
* IF it alters hosts? I add WHAT the malcode downloads from & add it to hosts to stop it infesting users.
APK
P.S.=> 3 things tell me I am doing it well & doing it right:
1st = User praise of my hosts engine https://tech.slashdot.org/comm...
2nd "ATTACKS" I GET (from UNIDENTIFIABLE anonymous fools, just like Elon Musk got https://tech.slashdot.org/stor... )
3rd BEING IMITATED as "Imitation IS the sincerest form of flattery" https://linux.slashdot.org/com... ... apk
Easily nullified by hosts files... apk by Anonymous Coward · 2018-07-26 09:57 · Score: 0

0.0.0.0 vps11240.hyperhost.name
0.0.0.0 data28.somee.com
0.0.0.0 carma666.byethost12.com
0.0.0.0 hyperhost.name
0.0.0.0 somee.com
0.0.0.0 byethost12.com
* Place those entries into your hosts file to NULLIFY this exploit!
(SOURCE = https://cloudblogs.microsoft.c... )
APK
P.S.=> For the BEST possible hosts file vs. this & other .exploits/threat? Accept NO substitute for APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p (remove spaces between characters & download) OR APK Hosts File Engine 9.0++ SR-1 32/64-bit for Windows https://www.google.com/search?... ... apk
1. Re:Easily nullified by hosts files... apk by Anonymous Coward · 2018-07-26 10:45 · Score: 0
  
  A day late and a dollar short as always. Maybe people shouldn't rely on reactive shitware like yours for security.
2. Re:Easily nullified by hosts files... apk by Anonymous Coward · 2018-07-26 14:27 · Score: 0
  
  I just put this in my hosts file and now I can't load slashdot and my start menu leads to a bluescreen ( I have to use the browser desktop icon which somehow still works ). I would advise against doing this, APK is just trying to damage your system.
WHOOPS! Thanks AC troll (correcting myself) by Anonymous Coward · 2018-07-26 10:03 · Score: 0

See subject: This post shows the entries for hosts files from MS to stall this malware from messing w/ ya https://it.slashdot.org/commen...
APK
P.S.=> Thank you "Mr. UNIDENTIFIABLE anonymous troll" for alerting me to this one - you've been HELPFUL to me... apk
Providing font packages as MSI files? by aglider · 2018-07-26 10:37 · Score: 1

This is a very good move!
Next time Microsoft will use MSI to provide wallpapers a audio notification too.
And web pages...

--
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
1. Re:Providing font packages as MSI files? by barbariccow · 2018-07-26 14:28 · Score: 1
  
  web pages
  They're bringing back ActiveX??
2. Re:Providing font packages as MSI files? by AHuxley · 2018-07-26 16:54 · Score: 1
  
  Go full Microsoft Chrome https://en.wikipedia.org/wiki/... again.
  
  --
  Domestic spying is now "Benign Information Gathering"
Yet I caught it before YOU bs chump by Anonymous Coward · 2018-07-26 10:52 · Score: 0

See subject & https://it.slashdot.org/commen... & as far as MS CHUMPS? Bring 'em on vs. me on hosts - I'll TEAR THEM UP as I have many of them before (especially Dr. Mark Russinovich)... easily (just as I do moron trolls on /. & other sites).
APK
P.S.=> I find it AMUSING how YOU & "your kind" have to HIDE from me via UNIDENTIFIABLE anonymous - you KNOW I've torn you up before under your FAKE NAMES for your FAKE do-NOTHING "ne'er-do-well" wannabe computer guru WASTED lives is why & you KNOW it (I certainly do - you PROVE it for me, lol - I don't even have to TRY win vs. your kind as you always DEFEAT YOURSELVES for me, lmao)... apk
1. Re:Yet I caught it before YOU bs chump by Tinfoil · 2018-07-27 01:57 · Score: 1
  
  "I find it AMUSING how YOU & "your kind" have to HIDE from me via UNIDENTIFIABLE anonymous"
  Yet here you are commenting as AC yourself.
  Oddly, you strike me as someone I used to converse with quite a lot a very very long time ago.. First name Andrew I believe..
  
  --
  
  tinfoilmedia
LMAO - my method WORKS... apk by Anonymous Coward · 2018-07-26 10:57 · Score: 0

LMAO - my method WORKS & using hosts (what this threat exploits) against it no less (irony abounds). Your "hotairware" & doing zero is what should be done instead?
* No, doing something about it is what I do - you just sit there & act the trolling ASS you are, a zero, a "ne'er-do-well" JEALOUS "Lil' Jowie" - nothing more (& you KNOW it).
APK
P.S.=> I find it AMUSING how YOU & "your kind" have to HIDE from me via UNIDENTIFIABLE anonymous - you KNOW I've torn you up before under your FAKE NAMES for your FAKE do-NOTHING "ne'er-do-well" wannabe computer guru WASTED lives is why & you KNOW it (I certainly do - you PROVE it for me, lol - I don't even have to TRY win vs. your kind as you always DEFEAT YOURSELVES for me, lmao)... apk
1. Re:LMAO - my method WORKS... apk by Anonymous Coward · 2018-07-26 13:26 · Score: 0
  
  Greetings from Stockholm
  How is it going in Apartment #1, Lower level
"StRaNgE" Jim, is that you? LOL! apk by Anonymous Coward · 2018-07-26 14:20 · Score: 0

"StRaNgE" Jim, is that you? It'd be the ONLY person I know that'd be into going to Sweden (watch the "no go zones" man, you're the wrong ethnic/faith persuasion if so) & I miss the chess games man! You were the BEST opponent (well, another came along later, more below) & BEST teacher to be honest about it. Made me 10x the player I was before it.
Before I left that property (more on that below) after buying it, I had 2 young tenants I'd play who moved in w/ 'custom sets' (vs. std. plastic traditional we used) & said "We're REALLY good @ chess"!
So I was like "Hmmm, maybe - let's see" (& this was the TRUE TEST OF YOUR "TUTELAGE" (when you were dozens of games ahead, but in the end. WHO WAS "THE MASTER" of the chessboard? Me, lol)). I smoked them thru 100's of games, but 1 of them, a kid named Eric, caught up to me & was only behind by 1 GAME (I would NOT let him have that last one UNTIL I was ready, not when he was 'feeling hot' to play it). The other (really GOOD GUY named Josh who has a great future in optometry) got good enough to beat me every 3rd game or so. About Gord's skill level (pretty good).
Ah, I miss the games!
LMAO - In the rain even (that's what our 'beer activities' & love of the game led us to) & by candlelight when the power went out (I still remember the candlewax melted) PLUS our PATENTED CLUB "Knights of the RoundTable" (Jowie Neckbone Mike, You, Me, Jack, Gordon & Lee his buddy (the latter 2 are now @ Apple & BAE systems respectively - long ways from here in geography + in LIFE too)).
Man - it's been a decade++ & everyone's LONG gone but Jack & I still 'hang' (we often reminisce of those "halcyon days of yore" in fact, lol).
* IF this is you "StRaNgE" Jim? It's good but I'm not in that property anymore, I live in another I purchased with it the year after you left.
APK
P.S.=> I put, oh... $3,000 into it, refloored it (floating wood after stripping old tile & deburring + had to buy 18" tablesaw to do it), new bathroom sink, shower (plastic no tile low maintenance & cementboard backing vs. old sheetrock) + new plumbing & electrical (was QUITE a learning experience + work too) + a new stove & fridge! Man - I HAD TO CLEAN A HELLISH MESS AFTER YOU LEFT after you, but that's one "bygone" I will LET be a bygone (in fact, it was SO BAD on that stove it stopped working after you, & I had to replace it - plus the grease you left was SO BAD man, Jack nearly puked seeing me clean it, lol)... apk
Registered /.ers DISAGREE troll... apk by Anonymous Coward · 2018-07-26 14:31 · Score: 0

Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017

Your premise that hostfiles are a good way to deal with advertising and malvertising is quite valid - by JazzLad April 20, 2016

his hosts program is actually pretty good by xenotransplant August 10 2015

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015

I like your host file system by Karmashock September 09 2015

that APK guy, I use his host file by rogoshen1 Tuesday March 03, 2015

I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017
* Best part = Linux 64-bit model's faster/more efficient (2x work & 1/2 the time)
APK
P.S.=> See subject: There's UNIDENTIFIABLE anonymous LIAR TROLL's bs I replied to vs. those REGISTERED /.ers above (want more like 'em? ask)... apk
only... by sad_ · 2018-07-26 23:05 · Score: 1

only on windows you get a malicious payload when installing a fsck FONT PACK!

--
On a long enough timeline, the survival rate for everyone drops to zero.
I am APK the LORD of HOSTS by Anonymous Coward · 2018-07-27 04:19 · Score: 0

I am APK the great "LORD of HOSTS", a.k.a. AlecStaar or Alexander Peter Kowalski.

See subject & APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / I . a m . a . f u c k i n g / a s s h o l e . r e t a r d . z i p (remove spaces between characters & download).

I am the godlike creator of various GUI front-ends for other people's configuration files.

Calling people ne'er-do-wells or Jealous JOWIEs is how I think I win every argument

When people state the truth about me I get really mad and accuse them of projecting which is something I do all the time.

Don't call me out on anything unless you are willing to prove you too can write some strings to a file programmatically

Spamming and being a general pain in the ass is what I do

Listen as I relive my glory days of being a college athlete in the early 80s

You must be conspiring with the Jews and Soros if you disagree with me

Bask in my greatness as I can do a ping as a non root user.

Watch as I whine about my work being flagged as malware by anti-virus software.

Witness my descent into madness

APK
1. Re:I am APK the LORD of HOSTS by Tinfoil · 2018-07-27 15:06 · Score: 1
  
  Damn man, yeah I remember you from the Dalnet days when we were mods of one of the channels. Your decent into madness started even back then!
  
  --
  
  tinfoilmedia
APK needs to understand this by Anonymous Coward · 2018-07-27 05:04 · Score: 0

Obligatory XKCD that you need to read and understand.
You've done better? apk by Anonymous Coward · 2018-07-27 06:52 · Score: 0

You've done better? No (prove me wrong) & I've got far more good reviews by registered /.ers. Want more? Ask.
APK
P.S.=> It's ALL I need to shut "your kind" (do-nothing "ne'er-do-well" JEALOUS "Lil' Jowies") down easily... apk