1. 30

  2. 7

    And Microsoft proves once again that they really are still like the old Microsoft.

    1. 1

      Apple and Google both do something similar with apps, albeit in (supposedly) heavily sandboxed environments.

      1. 3

        Indeed they do, but the microsoft net appears to be wider (e.g. the sandbox is the entire OS). In any case, none of this behavior from any of those 3 is excusable.

        1. 3

          In this case it’s certainly an interesting Server-Side Request Forgery-type vector!

          Why is it so inexcusable? They (primarily) do it to keep users safe by mitigating the spread of malware. By using a closed source platform it’s not like you can really reasonably expect privacy of the packaged binaries you’re using.

          1. 2

            Because they almost certainly are violating license agreements that restrict redistribution of binaries, and license agreements that require distributing the license with the binary, etc.

            1. 1

              I’m sure they address this in the fine print of their packager/developer license/app store or something like that.

              1. 2

                IANAL, but the user running the application may not even own the application and I don’t think they would be able to grant microsoft any additional rights to redistribution, etc.

                1. 1

                  Oh, I see what you mean. Is this system triggered by any binary, or just ones packaged with the msitools msi installer stuff?

                  1. 2

                    windows defender seems to be (according to the post) automatically submitting any binary for analysis to microsoft. then it runs them.

      2. 1


      3. 1

        So, if I understand the threat model being addressed here, a scenario alluded to is that someone has got a piece of malware running on a target machine, the target machine is on a network which is heavily monitored but allowed to talk to Microsoft, and the malware has captured some data that it wants to exfiltrate.

        Any attempt to do that by directly sending data from the machine it is on will cause alarm bells to go off, or be blocked. So instead the malware mints a new EXE file containing the data it wants to exfiltrate and runs it. Windows sends the new EXE to Microsoft. Microsoft runs it to see if it does anything particularly suspicious. The EXE is written to do nothing when run on the target machine, but to send the data to be exfiltrated back to the malware’s author when run on Microsoft’s box. Microsoft’s box is outside the closely monitored network so the transmission goes unnoticed.

        I don’t suppose this would be likely to be useful to anyone IRL because, well, a machine on a network that is monitored THAT closely ought not be able to talk to MS either, and besides shouldn’t it have that “only specific EXEs with known hashes are allowed to be invoked or created” GPO switched on too?

        But side channels are interesting and fun to be paranoid about, at least.