Microsoft recently announced that its Windows source code had been viewed by the Solarwinds attackers. (Normally, only key government customers and trusted partners would have this level of access to the “stuff” of which Windows is made.) The attackers were able to read – but not change – the software secret sauce, raising questions and concerns among Microsoft customers. Did it mean, perhaps, that attackers could inject backdoor processes into Microsoft’s updating processes

First, a bit of background on the Solarwinds attack, also called Solorigate: An attacker got into a remote management/monitoring tool company and was able to inject itself into the development process and build a backdoor. When the software was updated through the normal updating processes set up by Solarwinds, the backdoored software was deployed into customer systems — including numerous US government agencies. The attacker was then able to silently spy on several activities across these customers. 

One of the attacker’s techniques was to forge tokens for authentication so that the domain system thought it was getting legit user credentials when, in fact, the credentials were faked. Security Assertion Markup Language (SAML) is regularly used to transfer credentials securely between systems. And while this single sign-on process can provide additional security to applications, as showcased here, it can allow attackers to gain access to a system. The attack process, called a “Golden SAML” attack vector “involves the attackers first gaining administrative access to an organization’s Active Directory Federation Services (ADFS) server and stealing the necessary private key and signing certificate.” That allowed for continuous access to this credential until the ADFS private key was invalidated and replaced.

Currently it’s known that the attackers were in the updated software between March and June 2020, though there are signs from various organizations that they may have been quietly attacking sites as long ago as October 2019. 

Microsoft investigated further and found that while the attackers were not able to inject themselves into Microsoft’s ADFS/SAML infrastructure, “one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made.”  This is not the first time Microsoft’s source code has been attacked or leaked to the web. In 2004, 30,000 files from Windows NT to Windows 2000 leaked onto the web via a third party.  Windows XP reportedly leaked online last year.

While it would be imprudent to authoritatively state that the Microsoft update process can never have a backdoor in it, I continue to trust the Microsoft updating process itself — even if I don’t trust the company’s patches the moment they come out. The Microsoft updating process depends on code-signing certificates that have to match up or the system will not install the update. Even when you use the distributed patch process in Windows 10 called Delivery optimization, the system will get bits and pieces of a patch from other computers on your network – or even other computers outside of your network – and recompile the entire patch by matching up the signatures. This process ensures that you can get updates from anywhere — not necessarily from Microsoft — and your computer will check to make sure the patch is valid. 

Copyright © 2021 IDG Communications, Inc.