CyberWire Daily: Signed, Sealed, Exploitable [Research Saturday] - June 21, 2025
Hosted by Dave Bittner and featuring Dustin Childs from Trend Micro's Zero Day Initiative, this episode delves into critical cybersecurity vulnerabilities related to Microsoft’s PC Manager and the implications of overly permissive SaaS tokens.
Introduction to Research Saturday
In this episode of CyberWire Daily’s Research Saturday, host Dave Bittner engages with cybersecurity expert Dustin Childs, Head of Threat Awareness at Trend Micro's Zero Day Initiative. The discussion centers around recent vulnerabilities discovered in Microsoft’s PC Manager and the broader implications for cloud security and supply chain integrity.
Understanding Microsoft PC Manager
Dave Bittner initiates the conversation by seeking clarity on Microsoft PC Manager and its role within the Windows ecosystem.
[02:39] Dustin Childs: "PC Manager is really designed to do what its name says, and that's to manage PCs remotely... it's really meant to be a defensive tool, but also a system administration tool to help in terms of allowing someone to really have a lot of control over the systems within their purview."
PC Manager serves as a pivotal tool for remote PC management, enabling administrators to control multiple systems efficiently. However, its extensive control capabilities also make it a potential target for malicious exploitation if not properly secured.
The Role and Risks of SAS Tokens
The conversation shifts to Shared Access Signature (SAS) tokens, critical components in Azure's cloud infrastructure.
[03:16] Dustin Childs: "SAS tokens are used to grant limited access to Azure storage resources... they can be abused by attackers to either alter software packages or inject malicious code, effectively turning a helpful feature like what a SaaS token really is into a supply chain threat vector."
SAS tokens are designed to provide scoped access to specific Azure resources. However, when configured with overly broad permissions, they become a significant security risk, potentially allowing unauthorized access and manipulation of sensitive data.
Unveiling Two Critical Vulnerabilities
Dustin Childs outlines two primary vulnerabilities identified in the research ZDI 231527 and ZDI 231528:
-
Overly Permissive Tokens in Winget Package Manager
[04:07] Dustin Childs: "The token for this component... has a max validity of 9,999 years, which really should. I don't think they're going to support Windows that long."
The Winget Package Manager utilizes tokens intended for fetching specific packages. However, the tokens in question were excessively permissive, granting access far beyond intended scopes, including an impractical token validity period of nearly 10,000 years. This broad access could enable attackers to retrieve or manipulate sensitive data undetected.
-
Supply Chain Compromise via PC Manager Downloads
[05:54] Dustin Childs: "...it allows you to actually upload things rather than just download. So you could potentially upload zip files containing attacker controlled malicious scripts or binary signed with valid certificates and so on."
The vulnerability in pcmanager.microsoft.com allows not only downloading but also uploading of potentially malicious files. This capability could be exploited to introduce malicious code into the supply chain, compromising the integrity of software distributed through PC Manager.
Real-World Implications of the Vulnerabilities
Discussing the potential impact, Dustin highlights several serious consequences:
[06:43] Dustin Childs: "You could learn a lot about somebody or a target just by downloading everything that they have available and looking at it. So those are real world things and especially the information disclosure I think is probably the most likely thing to occur."
The vulnerabilities could lead to significant information disclosure, enabling attackers to steal sensitive data. Additionally, the ability to upload malicious content poses a threat to the software supply chain, potentially allowing widespread distribution of compromised software packages.
Coordinated Disclosure and Microsoft's Response
Dave inquires about the disclosure process to Microsoft and their subsequent response.
[09:54] Dustin Childs: "We disclose a lot of things to Microsoft and we literally disclose 100 plus things to Microsoft every year... In this case, since the fix is really an online service, we reported it at the end of September and about a week later they were able to address the vulnerability through an online service update."
Trend Micro follows a coordinated disclosure strategy, working closely with Microsoft’s Security Response Center (MSRC) to ensure vulnerabilities are addressed promptly. In this instance, Microsoft resolved the issue within a week, showcasing an effective and mature vulnerability management process.
Lessons for Organizations: Access Controls and Token Permissions
Dave prompts Dustin to share key lessons for organizations relying on cloud storage and distribution.
[11:52] Dustin Childs: "Always look for the principle of least privilege. Give permissions absolutely only necessary for what you're doing for that."
Emphasizing the principle of least privilege, Dustin advises organizations to meticulously configure access controls, ensuring that permissions granted to tokens are strictly limited to what is essential. Misconfigurations can inadvertently expose critical resources to unauthorized access.
Best Practices for Securing Supply Chains
Furthering the discussion, Dustin outlines essential best practices for safeguarding supply chains against such vulnerabilities:
[13:01] Dustin Childs: "Make sure that you're up to date on your security patches... understand who is responsible, you or the service provider, for applying updates, for making those changes."
Key recommendations include:
- Regular Patch Management: Keeping systems and software updated to mitigate known vulnerabilities.
- Clarifying Responsibilities: Understanding the division of security responsibilities between the organization and service providers, especially in cloud environments.
- Vigilant Configuration Management: Ensuring that cloud services are configured correctly to prevent overly permissive access.
The Importance of Coordinated Disclosure
Wrapping up, Dustin underscores the significance of collaborative efforts in vulnerability management.
[14:27] Dustin Childs: "The concept of coordinated disclosure is really important... it allows us all to work together... reducing the window of exposure of threat to the end user."
Coordinated disclosure ensures that vulnerabilities are addressed before they become publicly exploitable, enhancing overall cybersecurity resilience. This collaborative approach benefits researchers, vendors, and end-users alike by minimizing the risk of exploitation.
Conclusion
This episode of CyberWire Daily highlights the critical nature of proper configuration and management of access tokens in cloud services. The discussion with Dustin Childs provides valuable insights into the vulnerabilities present in Microsoft’s PC Manager, the potential ramifications of such security lapses, and the best practices organizations should adopt to fortify their defenses. Emphasizing the importance of coordinated disclosure and proactive security measures, this episode serves as a crucial guide for cybersecurity professionals aiming to protect their organizations against evolving cyber threats.
For more detailed information, listeners are encouraged to review the full research report titled "The Potential Impact of Overly Permissive SaaS Tokens on PC Manager Supply Chain" available in the Show Notes.
![Signed, sealed, exploitable. [Research Saturday] - CyberWire Daily cover](/_next/image?url=https%3A%2F%2Fmegaphone.imgix.net%2Fpodcasts%2F49cfa8cc-4deb-11f0-9b37-c764c253feb0%2Fimage%2F95b72a93c2ffaf8ff900d662a9bd3735.png%3Fixlib%3Drails-4.3.1%26max-w%3D3000%26max-h%3D3000%26fit%3Dcrop%26auto%3Dformat%2Ccompress&w=1200&q=75)