Microsoft Discovers Supply Chain Attack at Unnamed Maker of PDF Software

Microsoft said today that hackers compromised a font package installed by a PDF editor app and used it to deploy a cryptocurrency miner on users' computers. From a report: The OS maker discovered the incident after its staff received alerts via the Windows Defender ATP, the commercial version of the Windows Defender antivirus. Microsoft employees say they investigated the alerts and determined that hackers breached the cloud server infrastructure of a software company providing font packages as MSI files. These MSI files were offered to other software companies. One of these downstream companies was using these font packages for its PDF editor app, which would download the MSI files from the original company's cloud servers during the editor's installation routine.

comic sans?

was it comic sans?

Guess that is why I prefer

[oldgraybeard]

To download full local install packages with their check sums. And that these cloud based (internet required) apps are great to force the continuous subscription profit model but not so secure or great for the end user.

Just my 2 cents ;)

Sychronicity

[theCat]

I was just this morning taking a security course required by my employer where they were stressing the importance of securing the supply chain.

Oh and by-the-way, I think there must be some kind of quantum nature to all these exploits. And maybe if we would just stop looking for them, they would not come into existence at all and their eigenvalues would remain undefined. Worth a shot.

Okay back to your regularly scheduled illusion.

Re:Sychronicity

[Trax3001BBS]

I was just this morning taking a security course required by my employer where they were stressing the importance of securing the supply chain.

Microsoft is an arrogant bunch, and take no notice of a situation not theirs.

This exact thing happened two years ago to Linux Mint https://www.zdnet.com/article/...
And the time my Email address became public domain.

Since when...

[muecksteiner]

...is it considered even remotely acceptable that downloading an (expletive deleted) font package puts you at risk of malware installation? Which parallel universe does one have to be in to not immediately send the person in charge of security for this product to the Uranium mines?

Oh, wait, this is Windows we are talking about. All good, move on, nothing new to see here.

Re:Since when...

[barbariccow]

That doesn't mean that downloading fonts needs to execute code. That is stupid. What's wrong with fetching a zip of dumb font files? There's no execution vector, except that Microsoft gives them one. And you're right, this has been known about for a very long time, and yet still windows will download and execute executable sections of code to install a fucking font. The font itself is not the problem here.

Providing font packages as MSI files?

[aglider]

This is a very good move!
Next time Microsoft will use MSI to provide wallpapers a audio notification too.
And web pages...

Re:Providing font packages as MSI files?

[barbariccow]

web pages

They're bringing back ActiveX??

Re:Providing font packages as MSI files?

[AHuxley]

Go full Microsoft Chrome https://en.wikipedia.org/wiki/... again.

only...

[sad_]

only on windows you get a malicious payload when installing a fsck FONT PACK!

Re:Yet I caught it before YOU bs chump

[Tinfoil]

"I find it AMUSING how YOU & "your kind" have to HIDE from me via UNIDENTIFIABLE anonymous"

Yet here you are commenting as AC yourself.

Oddly, you strike me as someone I used to converse with quite a lot a very very long time ago.. First name Andrew I believe..

Re:I am APK the LORD of HOSTS

[Tinfoil]

Damn man, yeah I remember you from the Dalnet days when we were mods of one of the channels. Your decent into madness started even back then!