Microsoft Discovers Supply Chain Attack at Unnamed Maker of PDF Software

Microsoft said today that hackers compromised a font package installed by a PDF editor app and used it to deploy a cryptocurrency miner on users' computers. From a report: The OS maker discovered the incident after its staff received alerts via the Windows Defender ATP, the commercial version of the Windows Defender antivirus. Microsoft employees say they investigated the alerts and determined that hackers breached the cloud server infrastructure of a software company providing font packages as MSI files. These MSI files were offered to other software companies. One of these downstream companies was using these font packages for its PDF editor app, which would download the MSI files from the original company's cloud servers during the editor's installation routine.

Re:

[Tinfoil]

"I find it AMUSING how YOU & "your kind" have to HIDE from me via UNIDENTIFIABLE anonymous"

Yet here you are commenting as AC yourself.

Oddly, you strike me as someone I used to converse with quite a lot a very very long time ago.. First name Andrew I believe..

Re:

[Tinfoil]

Damn man, yeah I remember you from the Dalnet days when we were mods of one of the channels. Your decent into madness started even back then!

comic sans?

[Anonymous Coward]

was it comic sans?

Guess that is why I prefer

[oldgraybeard]

To download full local install packages with their check sums. And that these cloud based (internet required) apps are great to force the continuous subscription profit model but not so secure or great for the end user.

Just my 2 cents ;)

Sychronicity

[theCat]

I was just this morning taking a security course required by my employer where they were stressing the importance of securing the supply chain.

Oh and by-the-way, I think there must be some kind of quantum nature to all these exploits. And maybe if we would just stop looking for them, they would not come into existence at all and their eigenvalues would remain undefined. Worth a shot.

Okay back to your regularly scheduled illusion.

Re:

[Trax3001BBS]

I was just this morning taking a security course required by my employer where they were stressing the importance of securing the supply chain.

Microsoft is an arrogant bunch, and take no notice of a situation not theirs.

This exact thing happened two years ago to Linux Mint https://www.zdnet.com/article/... [zdnet.com]
And the time my Email address became public domain.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[barbariccow]

That doesn't mean that downloading fonts needs to execute code. That is stupid. What's wrong with fetching a zip of dumb font files? There's no execution vector, except that Microsoft gives them one. And you're right, this has been known about for a very long time, and yet still windows will download and execute executable sections of code to install a fucking font. The font itself is not the problem here.

Providing font packages as MSI files?

[aglider]

This is a very good move!
Next time Microsoft will use MSI to provide wallpapers a audio notification too.
And web pages...

Re:

[barbariccow]

web pages

They're bringing back ActiveX??

Re:

[AHuxley]

Go full Microsoft Chrome https://en.wikipedia.org/wiki/... [wikipedia.org] again.

only...

[sad_]

only on windows you get a malicious payload when installing a fsck FONT PACK!