I predict a rash of eventual FireEye, Cisco, and other vendor zero days in the near to mid future. If you are a nation state actor what better way to find zero days then to get the source code and find the bugs to exploit. This is the only thing that makes sense that would be worth the risk of attacking companies such as FireEye and Microsoft.
the only interesting part of this whole debacle in my mind is that it highlights what was already fairly obvious. the security of a given environment is only as secure as its weakest link. the entire supply chain for every bit of code that is installed on a machine is a potential vector. if that code happens to run at privilege (like administration software) that vector is shorter. (and that's only if you're considering software) when you think about it, it's staggering.<p>i suspect we'll be seeing a lot more attention on reproducible and cryptographically secure build environments, similar to the gitian stuff in bitcoin land.
> This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk<p>I don't know how much of this is true. Wouldn't it be helpful for bad actors to understand how Windows defenses work looking at the code thereby increasing the risk?
Practically speaking, being a bad guy with access to Microsoft source code for a short time has very little impact or real-world relevance. They do thousands of updates a day, the build processes are lengthy and poorly documented, the overall direction of the code is subject to myriad political groups inside the company, and they're making massive improvements in multiple branches that will render that snapshot irrelevant within minutes.<p>The "best" market for any such code would be... what... China? Other than the possibility of figuring out potential hacks who could make use of the code in in its sheer mass? By the time you figure out something clever your version of the code is hopelessly out of date.
Very curious as to the details they aren't releasing.<p>If you read between the lines they are saying that accounts were compromised, but not through token stealing, which means the attackers got the passwords to the accounts, and likely skirted MFA requirements because they were already inside, or there were none.<p>While there are many avenues to steal passwords once you have the foothold the attackers did, it would be interesting to know the details as to how these particular accounts were compromised.
If they were the ones responsible for leaking the XP source not long ago, then they deserve much thanks from the underground retrocomputing and software preservation community --- MS would've likely never opened that source themselves. In the same way that those who leak schematics and service information to enable third-party repair are also to be commended. "An enemy of an enemy is a friend."
Though this is bad for Microsoft, does it make the situation substantially worse from a security perspective? Assuming they’re following good practices like not storing access keys, passwords, etc, in their source control system(s), this seems like more of an IP protection issue.<p>I could be wrong about that, though, and I’d be curious to learn and understand more.
Funny usage of the MS defender for the link to the "inner source" wikipedia entry:<p><a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FInner_source&data=04%7C01%7Crmcree%40microsoft.com%7C3c2b93314b6a4c82230608d8ada9c8dd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637450292021293272%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=XfTuzoczzfzFR6DNm73DwrWSDpHPeMvWqTmBMFZVXzI%3D&reserved=0" rel="nofollow">https://nam06.safelinks.protection.outlook.com/?url=https%3A...</a>
Is the source code buildable, or is it mainly for documentation purposes? I’m guessing the build system and tool chains required for building windows are massively complex. Are these distributed with the windows source code as well?<p>Also I’m guessing that there are a lot of other proprietary vendor-supplied pieces that get built with Windows. What happens if these are not available?
I don't know if I missed it in the article, but did they say anything explicit about write access? Seeing the source may give access to new zero days, but it would be much worse if the attackers were able to seed a large number of commits into the code that introduce subtle vulnerabilities.
Reading this, the question that immediately pops in my head is:<p>Could a hack like this one go undetected for so long in a widely used free/open-source project developed in the open, such as the Linux kernel?<p>While I have no doubt that something like this could happen to the Linux kernel source code (because security is Capital-H Hard), my perception is that something like this is less likely to happen to the Linux kernel -- and, were it to happen, it would likely be detected sooner, due to the inherent <i>transparency</i> of widely used open-source code.
There's a very old homily that applies exactly to this flaming debacle: don't put all your eggs in one basket.<p>WP says that SolarWinds "had about 300,000 customers as of December 2020, including nearly all Fortune 500 companies and numerous federal agencies."<p><i>Everyone</i> who thought that was a good idea, for whatever reasons - given the history of security - obviously screwed up badly. When -so many people- go -so wrong-, the problem is clearly bigger than the loss of 'too many secrets'.
I would love to have access to NT source code, hopefully it leaks. The most recent leaks are way out of date and have basically been exhausted of their usefulness.
Of course, it absolutely HAS to be a nation-state. There's just no way anybody not being paid millions of dollars could possibly break their ironclad blah blah whatever you get it
Many comment threads here discussing the (in)ability of an attacker to modify the source-code that Microsoft builds from, or use it to more easily discover vulnerabilities.<p>What I've not seen anyone discuss is the potential for an attacker to take the source-code of a single Windows core component (a system DLL for example), add in a backdoor, build it and then distribute the binary via a compromise such as the SolarWinds update mechanism.<p>In other words, insert a modified core Windows DLL into some other popular Windows driver or application package updater published and signed via a 'trusted' channel other than Microsoft itself.
I wonder if incidents like this will push MS towards open sourcing windows.<p>IDK what their revenue looks like, but I'm guessing that selling the OS isn't as front and center as it used to be (from the way they are changing in terms of supporting things like linux).<p>Even if they keep a pretty tight license around the source, releasing it to the public would earn a lot of good will while potentially finding and fixing security problems.
On the whole this does not affect my perception of Microsoft. In fact it probably tilts it in their favor. They were able to conduct a thorough investigation and figure out the attackers had access to the source. The reality is that while it makes future attacks easier it has already been taken into account for a large majority of risk assessments.<p>People trash Microsoft a lot but some of the people there are the best in their respective fields.
Here's the updated Microsoft post that contains the admission that the hackers viewed source code:<p><a href="https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/" rel="nofollow">https://msrc-blog.microsoft.com/2020/12/31/microsoft-interna...</a><p>Drives me crazy that Reuters could write an entire post about a Microsoft blog post, yet not link to the post itself.
Original blog post by Microsoft - <a href="https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/" rel="nofollow">https://msrc-blog.microsoft.com/2020/12/31/microsoft-interna...</a>
> Microsoft said the account did not have the ability to monitor any Microsoft code. The blog post further added it has found no evidence of access “to production services or customer data.”<p>The article is in contradiction with the headline, isn't it?
This seems like a very serious breach. Expect zero-days to run rampant the next 10 years.<p>I don't know if to pat Microsoft on the back or give the ma scolding.<p>If you are up against a military intelligence hell bent on discovering attack vectors produced by the private commercial industry then this is a losing battle-whoever has infinite resources win.<p>In this case the governments of the world can print unlimited money and has to access to the top of the creme, we are talking 0.0001% of the population working on discovering the next zero day vulnerability.<p>How does a for profit corporation go up against an adversary with infinite resources?