Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Windows 10’s Package Manager Flooded With Duplicate, Malformed Apps

Windows 10’s Package Manager Flooded With Duplicate, Malformed Apps

Last week, Microsoft released the first stable version of its Windows 10 package manager, Winget, which enables users to manage apps via command-line.

Much like package managers available on other platforms, Winget lets Windows users automate app management when it comes to installing, configuring, upgrading, and uninstalling applications.

But, over the weekend, multiple users flooded Winget’s software registry with pull requests for apps that are either duplicate or malformed, thereby raising concerns about the integrity of the Winget ecosystem.

Winget’s repo flooded with duplicate apps, malformed manifests

Microsoft had first introduced the preview version of its Windows 10 package manager at Microsoft Build 2020. Since then, Microsoft developed Winget as an open-source project on GitHub.

Last week marked a milestone when the first stable version of Winget was released.

Microsoft’s guidelines state that independent software vendors (ISVs) looking to upload their application to the Winget registry, can do so by submitting the application’s manifest on their GitHub.

Furthermore, when contributors submit a manifest to Winget’s GitHub, with some exceptions, the manifests are automatically validated by Winget’s bot against set criteria.

But, over this Memorial Day weekend, multiple pull requests emerged on Winget’s GitHub containing names of apps that had already existed in the package manager’s registry.

Moreover, some pull requests contained incorrect application names in the manifests or “bad” links from where the application should get fetched.

And, in few other cases, new pull requests would overwrite existing applications’ manifests, with incomplete info.

The user KaranKad originally raised this issue over the weekend, after gathering over five dozen such examples of invalid pull requests being made to Winget’s repo.

“People are submitting bad or duplicate manifests without checking if the app already exists or not in this repository.”

“Create a group of active contributors who know what they are doing, with [the] ability to close a PR so they can prevent bad or duplicate PRs from getting in,” suggested the user.

Also Read: Compliance Course Singapore: Spotlight on the 3 Offerings

Out of the many examples posted, BleepingComputer noticed how this was especially true for an app named after “PrimoPDF”:

NitroPDF bad link Winget
Incorrect Winget PackageIdentifier and InstallerUrl submitted for NitroPDF application (GitHub)

The manifest files for the NitroPDF’s PrimoPDF app reportedly contains malformed PackageIdentifier (“NitroPDFIncNitroPDFPtyLtd.PrimoPDF”) and download URL.

In other cases, BleepingComputer observed, manifests of legitimate applications like VideoLAN’s VLC player and Valve’s Steam app had been overwritten by contributors, but with incomplete info:

winget app overwritten
Manifest of VideoLAN’s VLC player overwritten with incomplete info (GitHub)

BleepingComputer has recently reported on open-source ecosystems like PyPI getting flooded with garbage spam components.

In more serious cases, counterfeit components have been caught getting uploaded to the npm and RubyGems repositories.

Left unchecked, these malformed, incomplete, or outright malicious packages can pave a way for anything from simple application errors to a successful supply-chain attack.

Although these Winget pull requests, which introduced incomplete information in the applications’ manifests, were shortly reverted [12], what is being done to prevent such instances in the future?

Also Read: PDPA Singapore Guidelines: 16 Key Concepts For Your Business

Developers propose multiple solutions

Following this ongoing incident, multiple developers have suggested workarounds or practices Winget can adopt to ensure the integrity of its packages.

“I really really think that any new PackageIdentifer should have to be checked by someone on the Winget team (or if they want to start a recognized contributor system I’d throw my hat in the ring),”  suggested Easton Pillay, a developer and Winget contributor.

Pillay also believes that fully automating the addition of new Winget packages will introduce tons of duplicates.

In the same thread, the developer also proposed that newly created Winget manifests should require a manual review:

“I know we are trying not to waste the moderator’s time, but since [the contributors] are committing known bad metadata by default…, the bot doesn’t realize it and then someone who knows that the bug exists has to go back and fix all of the errors (or live with the metadata being wrong, which is a tragedy ;D),” said Pillay.

Microsoft’s Demitrius Nelon, a key person behind Winget’s development has acknowledged the issue and that he plans to bring it up with the team.

Nelon has also proposed a potential solution:

“One of the options could be requiring a ‘second’ approver on a ‘new’ manifest in a ‘new’ directory.”

“The bot has a concept that might work for that scenario. I just don’t want to put too much friction and time delay for people submitting manifests, nor too much pressure on ‘moderators’.”

“We’ve got a feature on the backlog to detect duplicates. It’s more of a warning than a blocking action. We have some expected ‘valid’ rename scenarios,” explained Nelon.

BleepingComputer has reached out to Microsoft for comment prior to publishing and we are awaiting their response.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us