Two critical Microsoft PC Manager bugs let an attacker launch a supply-chain attack
Two critical security vulnerabilities have recently been discovered in Microsoft PC Manager, which could allow a remote attacker to execute arbitrary code on the system. Both bearing a daunting CVSS score of 10—the highest on the scale. To the uninitiated, the Common Vulnerability Scoring System (CVSS) is an industry-standard used to assign severity scores to vulnerabilities. A score of 10 signifies that the vulnerability can be catastrophic if exploited.
Microsoft PC Manager is a free utility software for PCs that helps users keep their PCs working optimally. It offers a wide range of features, including system optimization, security, storage management, and system diagnostics.
The first vulnerability, ZDI-23-1527, is caused by an error within the permissions granted to an SAS (Shared Access Signature) token. SAS tokens are used to grant access to resources in Azure storage without requiring users to authenticate.
By sending a specially crafted request, an attacker could exploit this vulnerability to launch a supply-chain attack and execute arbitrary code on customers’ endpoints. Authentication is not required to exploit this vulnerability.
The second vulnerability, ZDI-23-1528, is also caused by an error within the permissions granted to an SAS token. The exploit for this vulnerability is similar to that of ZDI-23-1527.
Technical Deep Dive
Both of these vulnerabilities are caused by the same underlying issue: a misconfiguration in the permissions granted to SAS tokens. A server typically generates SAS tokens and then sends them to the client. The client can then use the SAS token to access the resource specified in the token.
In the case of Microsoft PC Manager, the SAS tokens are generated by a server-side component and then sent to the client. The client can then use the SAS token to access resources in Azure storage.
However, the permissions granted to the SAS tokens are too broad. This allows an attacker to use the SAS token to access resources that they should not have access to.
Exploitation
An attacker could exploit these vulnerabilities to launch a supply-chain attack. In a supply-chain attack, the attacker targets a vendor in order to gain access to the vendor’s customers.
For example, an attacker could create a malicious website that hosts a malicious version of Microsoft PC Manager. When a user downloads and installs the malicious version of Microsoft PC Manager, the attacker will gain access to the user’s system.
The attacker could then use the SAS token to access resources in Azure storage, such as customer data or intellectual property.
The credit for uncovering these vulnerabilities goes to the diligent security researcher, Nitesh Surana (@_niteshsurana), from Trend Micro Research. His discovery was made public via the Zero Day Initiative program, a community-driven effort to reveal security loopholes.
Supply-chain attacks, like the potential ones stemming from these vulnerabilities, are particularly insidious. They can infiltrate trusted applications and spread malware to numerous endpoints, often without the end-user’s knowledge until it’s too late. With Microsoft PC Manager’s widespread use, the impact could be vast.
Mitigation
Microsoft has released security patches for both of these vulnerabilities. Users are urged to install the latest security patches as soon as possible.
In addition, users should be careful about where they download Microsoft PC Manager from. Only download Microsoft PC Manager from the official Microsoft website.
These two critical security vulnerabilities in Microsoft PC Manager highlight the importance of keeping software current. Users should always install the latest security patches as soon as possible.
In addition, users should be careful about where they download software from. Only download software from trusted sources.
