Jan 30, 2024 - Technology

Microsoft's latest flaw hits open-source projects

Illustration of a robber's hand taking away a block of the Microsoft logo.

Illustration: Aïda Amer/Axios

A team of security researchers has uncovered a flaw in Microsoft's code development and testing environment that could affect upward of 70,000 open-source projects, according to a report first shared with Axios.

Why it matters: Researchers at Legit Security said in a report today that they've found a flaw in popular testing tool Azure Pipelines that would allow hackers to inject malicious code into source code and other projects hosted in code testing environments.

Details: The vulnerability can be triggered when someone submits a contribution or edit to a build system project hosted on Azure Pipelines, Liav Caspi, co-founder and chief technology officer at Legit Security, told Axios.

  • When Azure Pipelines runs a review of that code, it usually tests the new suggestion in a "sandbox" environment.
  • However, Legit Security researchers found a way to trick a build system into running the test code in a live environment, Caspi said, "so it can find out sensitive secrets and sensitive data."
  • The bug has a 7.3 out of 10 severity rating on the industry's widely used Common Vulnerability Scoring System and could give hackers elevated access to an organization's networks, but it would need to be combined with another vulnerability to execute an attack, per Microsoft.

Yes, but: The problem still affects only code that's hosted on the on-premise version of Azure Pipelines and those who haven't manually updated to the latest version.

  • Microsoft released a patch in October, and all customers who have installed the latest software updates or have automatic updates are already protected, a spokesperson told Axios.
  • Code repositories that have implemented a so-called trigger in Azure Pipelines are likely to be most vulnerable, Caspi said.

The big picture: The recent disclosure underscores the growing importance of both supply chain security and securing open-source code, especially in companies' source code.

  • Ever since the 2020 hack of SolarWinds, Legit Security's clients have made scanning and securing their software supply chains a top priority, and Caspi's team found this new flaw while poking around Azure Pipelines for customers.

What they're saying: "If you're developing software, and this software is important, and it's driving the business, there's a lot of focus on, 'Can somebody change something in the build? Can somebody steal data?'" Caspi said.

Catch up quick: The news also comes as Microsoft continues to wrestle with a recent Russian hack of its senior executives' email inboxes.

  • The company said last week that it had started notifying other companies that were targets of the same Russian hacking group.

Between the lines: Both the vulnerability that Legit Security found and the recent Russian hack take advantage of weaknesses in Microsoft's production environments.

  • In the recent breach, the Midnight Blizzard group first gained access to Microsoft's systems via a password-spraying attack targeting a "legacy non-production test tenant account."

The intrigue: Microsoft was quick to respond to Legit Security's vulnerability, Caspi said, which isn't always a guarantee when security researchers submit their findings to large companies.

The bottom line: Caspi said his company finds all sorts of security flaws in testing environments and systems that host a company's source code — not just in Microsoft products.

  • "This specific area of supply chain security — build security — is a bit of a new territory," he said. "The more people dig in, the more they find. It's a little bit uncharted."
Go deeper