Software engineer and security researcher, Adnan Khan, has found and published a supply chain attack carried out via Microsoft GitHub's runner images. The project used in the proof of concept is PyTorch.
From a period of time between February 2023 and July 25th, 2023, one such repository was GitHub's own actions/runner-images repository. You might be able to guess where this story this is going. This is the story of how I discovered and exploited a Critical misconfiguration vulnerability and reported it to GitHub. The vulnerability provided access to internal GitHub infrastructure as well as secrets. There was also a very high likelihood that this access could be used to insert malicious code into all of GitHub's runner base images – allowing an attacker to conduct a supply chain attack against every GitHub customer that used hosted runners.
More than a few sites are wrongly spinning this as a weakness with Python, PyTorch, or even with FOSS in general. However, the problem is not with FOSS, Python, or PyTorch but instead with a reliance on Microsoft's infrastructure for development. Fortunately there are mitigations. GitHub is software as a service, and not related to FOSS or Git itself though it does exploit both. It currently serves as a showcase for Microsoft Copilot.
(Score: 5, Funny) by Gaaark on Sunday January 21, @09:14PM (3 children)
Seriously... why is anyone still using Microsoft anything?
When i have to use MS Outlook 360/whatever, i find I'm always waiting for it to log in and for mail to 'show/download': I am always less than productive using MS products.
We ARE the most intelligent species on Earth... right? Right?
Don't see dolphins and chimps and crows using MS product, no siree......
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2, Interesting) by Anonymous Coward on Sunday January 21, @09:58PM
Because unlike Linux and BSD, Microsoft made it so you can incompetently manage their system while play video games and smoking pot.
I mean seriously...when my kid was 1 year old, he was pointing and clicking and doing all sorts of stuff on the computer. Once he gained the ability to understand and type language he was able to use a search engine to find answers to all sorts of questions.
He's 17 now, and he flips cars for a living. He finds broken down cars that people sell for a few hundred dollars, then he sits and watches YouTube videos on how to fix various things and then he resells them for thousands.
But ask him how an engine works or how to build one? No clue.
And that's your average Windows admin. Something doesn't work, and they have to ask Google and then copy/paste some powershell...or...more accurate to most of the shit you find in the MIcrosoft Forums...they need to ignore the problem for an hour or two while they go out for pizza, then come back and reboot and it "magically" works again.
(Score: 2, Funny) by Runaway1956 on Sunday January 21, @11:52PM
Well, they're not going to admit to it, of course. But you have little idea what they're doing when not under observation.
(Score: 2) by Mojibake Tengu on Monday January 22, @10:04AM
Don't be so sure...
https://answers.microsoft.com/en-us/msoffice/forum/all/how-do-i-draw-a-crows-foot-within-a-word-document/46a00493-e687-4e65-a653-ea1c934b0bc8 [microsoft.com]
Respect Authorities. Know your social status. Woke responsibly.
(Score: 3, Informative) by tbuskey on Sunday January 21, @09:53PM
PyTorch was not using MS/Github's runners. They were using self hosted runners. Unlike the regular runners, MS does not monitor/configure self hosted runners.
(Score: 5, Interesting) by darkfeline on Sunday January 21, @11:24PM
I don't think there are any reasonably large software projects that are secured against supply chain attacks at the moment. It is a large class of vulnerabilities that only recently started getting attention due to the SolarWinds incident (although it is obvious in retrospect). The industry standard (SLSA, build provenance, etc) is relatively new and AFAIK no one has fully implemented it for any non-trivial projects.
Join the SDF Public Access UNIX System today!
(Score: 2) by hendrikboom on Monday January 22, @01:44PM (2 children)
Without knowing what github runners are I do not understand the practical import of this articlr
(Score: 3, Informative) by cereal_burpist on Wednesday January 24, @02:17AM (1 child)
https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners [github.com]
(Score: 4, Interesting) by hendrikboom on Wednesday January 24, @01:31PM
Thank you. I had made a vague guess, but you've provided me with the detailed explanation I wanted. Thank you.
Seems like for my own work I could easily host the equivalent on my own hardware.