Many corporations develop their own applications to be used in-house amongst employees or sent out externally. Developers within organizations use package managers for handling libraries that are then put together to assemble an app. The attack method Microsoft is discussing involves targeting app building, package managers for downloading and importing, and repositories hosting app files. Using “dependency confusion,” threat actors can exploit private app libraries within a corporation. That’s a problem because while some organization apps are non-sensitive, some of them can host very sensitive code.
Attack
Attacks can take advantage of the way many company developers package apps. A lot of apps are held in a mix of public and private libraries. If an attack can discover the name of a private library, they could register it on a public repository and upload malicious libraries to the public packages. Microsoft says an attack would work if an internal app environment prioritizes the public library over the internal private one (both would have the same name). After security researchers told Microsoft and other major companies about the problem, Microsoft reacted quickly. In its white paper, the company discusses the attack method and warns of the danger of the hybrid package manager configuration. Microsoft also points to several mitigations than companies can adopt to prevent an attack:
Use controlled scopes on public packages to protect private packages. Hold one private feed as a reference instead of many. Have a client side verification in place.
Tip of the day: Due to the various problems that arise with microphones, it can often be necessary to perform a mic test, but those wondering how to hear yourself on mic in Windows 10 are often left stumped. Microsoft’s OS doesn’t make it especially intuitive to listen to microphone playback or play the microphone through speakers. In our tutorial we show you how to hear yourself on mic with just a few clicks.
