back to article PowerShell? More like PowerHell: Microsoft won't fix flaws in package gallery ripe for supply chain attacks

A trio of PowerShell Gallery design flaws reported to Microsoft almost a year ago remain unfixed, leaving registry users vulnerable to typosquatting and supply chain attacks, according to Aqua Nautilus. In a report issued Wednesday, the security shop's software engineer Mor Weinberger and flaw finders Yakir Kadkoda and Ilay …

  1. Jou (Mxyzptlk) Silver badge

    Whiny article, but one true point

    I am in a lucky position usually not needing anything from there. "ntfsaccess" for example, a package for those who are not willing to learn how to use get-acl / set-acl which can do everything and sometimes even more. Up to now the only thing I needed was a helper to evaluate the "effective access", like the tab of the file explorer. For one time. Unlisted packages being available is the same as unlisted videos on youtube, those who upload should make them private or remove them. Trusting any cloud(-like) storage as open as powershell gallery or github to keep sensitive data inaccessible is naive.

    The one true point of the article is the constant inconsistency even within Microsoft own packages to be used for Azure, quite annoying.

    1. Charlie Clark Silver badge

      Re: Whiny article, but one true point

      Had to use it recently to disable automapping when delegating Exchange mailboxes. Linked to from the official Microsoft documentation.

      Of course, this hack wouldn't be necessary if this could be controlled in Outlook or online when setting things up.

      1. Jou (Mxyzptlk) Silver badge

        Re: Whiny article, but one true point

        You can do that without powershell gallery too, but it is far from trivial in comparison. Since ever powershell came along a lot of tiny GUI options disappeared from later Exchange versions, this is one of those. Programming a GUI for some functions is more expensive than offering a powershell way, and the powershell way offers a method of scripting and automation the GUI variant cannot offer. Very important for mass-jobs.

        1. J. Cook Silver badge

          Re: Whiny article, but one true point

          ... some not-so-tiny options vanished as well.

          Like all of the Unified Messaging management options for the EC for On-premise Exchange 2013? GONE. You get to use Powershell now for ALL OF IT.

          Moving a mailbox on-premise from one mailbox database to another, both on-premise? the Migration code in the EAC is so utterly, horribly BROKEN. You can submit the request, but it'll sit there and do absolutely jack and handy, and there's no way to force it to remove those migration requests. the "New-MoveRequest" commandlet still works, so that's what you are forced to use if you need to move a mailbox to, say, clear up some corrupted search folders in the user's mailbox in order to fix the issue which also prevents it from being migrated to The Cloud...

        2. Charlie Clark Silver badge

          Re: Whiny article, but one true point

          I don't understand the point you're making: you think it was right of Microsoft to remove the option? You then agree that without this add-on the change is difficult to manage? And why can't users disable automapping themselves? In IMAP I regularly choose which folders to subscribe to.

          I'm used to both but actually thing this would be trivial with a series of checkboxes in a GUI and shared mailboxes is not necessarily a bacth operation. One of the reasons we have GUIs is because people cannot remember text commands very well. I do a lot of work with keyboard shortcuts, but if I don't use something at least once a week I'm likely to spend more time trying to remember the shortcut than doing it with a mouse.

        3. NoneSuch Silver badge

          Re: Whiny article, but one true point

          No one has ever convinced me that a GUI less safe to use than a 430 character PowerShell command that can bork the domain.

          We had a Help Desk tech who came within a hair of deleting over a thousand email accounts because of a badly constructed PS script. Only reason it didn't go off is he sensibly asked me to review it before he used it. Get- and Set- commands look similar, but have much different actions.

          In the days where people are using AI to write untested scripts, a GUI with check box is MUCH more appealing than an open Admin terminal running PS.

          MS Azure engineers themselves have taken down three major services for several days with a badly written script.

          1. Jou (Mxyzptlk) Silver badge

            Re: Whiny article, but one true point

            GUI does not really help: The explorer allows way to easy data nuking. Including accidentally executing a drag and drop, especially on touchpads. But even with mouse, the the wrong UI element insists on popping up foreground in the right moment. A problem shared among all current OS-es.

  2. that one in the corner Silver badge

    fingers crossed

    > miscreants don't move from GitHub, NPM, PyPI and others to PowerShell Gallery.

    Well, so long as they do actually move and stop piddling with NPM and PyPi we should be in a better situation.

    After all, the people who use Power Shell - certainly those who use it enough to be aware of this gallery thing - are all the highly trained sysops and devops who are aware of these sorts of traps and take especial care over what they are doing.[1]

    Whilst PyPi et al are utilised by many more casual users and beginners.

    [1] have honestly lost track of whether this is sarcasm or not; given the results of the typosquatting experiment mentioned in the article, safest to assume it is sarcasm.

  3. may_i Silver badge

    PoWeRsHeLl

    Micros~1's PoWeRsHeLl is the SpAwN oF tHe DeViL and should be doused with a flood of holy water!

    Why any rational person would CaMeL CaSe verbs (or for that matter, any part of a scripting language) is beyond my understanding.

    1. Jou (Mxyzptlk) Silver badge

      Re: PoWeRsHeLl

      $OfCourseYouDoCamelCaseVariables. ItMakesItEasierToReadInProgrammingWhenUsedRight. butifyoucanntstanditfineespeciallysincewewillprobablynevermeetneitherintherealnorvirtualworld.

    2. CowHorseFrog Silver badge

      Re: PoWeRsHeLl

      is that the same holy water from major world religions that condones slavery and child rape ?

  4. RedGreen925 Bronze badge

    Like them morons at Microsoft know anything about security, their entire history proves this. Day after day repeated breaches and still these clowns pay them for the privilege of running that garbage to be owned by some scumbags who steal all their data and hold it for ransom. The time is well past for laws that require companies to use something secure or be put in jail for the breaches. That might get the CEOs attention, the prospect of a jail cell in a non-country club jail with the cream of the criminal crop to prey on them 24/7. After all them scummy politicians can come up with their bull shit laws for everything else but protecting the people they serve, they just need to think of the "children" in this case too.

  5. chuckufarley Silver badge
    Thumb Down

    This is first time...

    ...That I have read of this PowersHell app store. I was totally and blissfully unaware of it until now. The next time I read about it I hope that it's a notice to say that it has been discontinued because too many people weren't doing their own damned homework.

    1. Jou (Mxyzptlk) Silver badge

      Re: This is first time...

      It is actually nice! I rarely actually need it, up ton now only once. But knowing it is there and useful is always a good fallback when searching for something specific. Lots of Microsoft articles refer to it.

  6. Ken G Silver badge
    Coat

    Power corrupts

    PowerShell corrupts absolutely.

  7. Zippy´s Sausage Factory
    Meh

    I've never understood what the business case for PowerShell actually was.

    "Let's create another, totally incompatible shell that nobody knows how to use and then force people to use it whether they want to or not"

    "Wouldn't it just be easier for the users, and cheaper for us, to improve the tools we already have?"

    "Heresy! You're fired"

    1. Anonymous Coward
      Linux

      the business case for PowerShell

      @Zippy´s Sausage Factory: “I've never understood what the business case for PowerShell actually was.

      A bad copy of BASH.

      1. Jou (Mxyzptlk) Silver badge

        Re: the business case for PowerShell

        It is better than bash. Objectoriented beats deciphering the ascii output of commands with sed/grep/awk/ed etc. Including simple things like, for example, getting files of a directory, the largest file, and if there are many with the same size get the newest, and if there are still many "same" get the last of the "array" of same files. This example can actually be a one-liner, doesn't even need "if" or pipe, all integrated in get-childitem and using the methods supplied with the output-object(array) it gives back.

        And with the close integration of DotNet you can access a huge amount of functions in [math], [array] etc etc etc directly. And if that is not good enough you can inline C# and C(++) to do the work, even though most of the time it is used as an interface to .DLLs which offers specific functions from the OS since before the year 2000 up to Windows 11/Server 2022. Using NTFS compression without calling "compact.exe" is an example. With the advantage that it works with unicode and long paths, contrary to calling "compact.exe".

        1. Anonymous Coward
          Anonymous Coward

          Re: the business case for PowerShell

          --libxo

          https://juniper.github.io/libxo/libxo-manual.html

          % wc --libxo json,pretty,warn /etc/motd

          1. Jou (Mxyzptlk) Silver badge

            Re: the business case for PowerShell

            But not supplied with every OS installation, especially not for 20 years. If you go that route some prefer python instead of bash, then you do have objects.

            1. Anonymous Coward
              Anonymous Coward

              Re: the business case for PowerShell

              Yeah. I agree.

              I was just pointing out that there is a better way to parse output on the unix command line than dubious string parsing.

        2. Anonymous Coward
          Anonymous Coward

          Re: the business case for PowerShell

          read -r col_sz col_ts <<< $(ls -ltS --time-style=long-iso . | awk 'NR==2 {print $5, $6 " " $7}')

          ls -ltS --time-style=long-iso . | awk -v awk_sz="$col_sz" -v awk_ts="$col_ts" '{if ($5 == awk_sz && $6 " " $7 == awk_ts) print $8}'

          If doing it in one line so is important you can use a semi-colon.

        3. Anonymous Coward
          Anonymous Coward

          Re: the business case for PowerShell

          A thousand apologies.

          It's a bad copy of Python.

    2. Ball boy Silver badge

      Business case for PowerShell?

      "Wouldn't it just be easier for the users, and cheaper for us, to improve the tools we already have?"

      Well, they didn't really have any. Using the Command line was a hangover from the days of DOS and wasn't that flexible (it didn't need to be: it was conceived to address the needs of a single user on a single computer running a single program). What Microsoft quickly found - I suspect - is that when you want to manage a server, you tend to need to do things that a GUI simply can't address - and building a GUI to cover /all/ eventualities would be impossible...so a scripting tool was required. Voilla! PowerShell was born. In its own way, it's MS concession that servers need CLI rather than flashy GUIs (or, if you prefer, the *nix way of managing server-grade systems was probably right after all!).

      1. Jou (Mxyzptlk) Silver badge

        Re: Business case for PowerShell?

        The history of powershell is actually more complex. It started even before what the wikipedia article states and was, at the beginning, not loved by Microsoft. That changed soon.

    3. Kenjitamurako

      I wouldn't say powershell is incompatible with other shells as you can call bash or cmd directly from powershell to get the exit codes and console output. The power of powershell is in having structured data. Batch and bash work with text streams but powershell has objects with properties and methods. That said, for a lot that powershell gets used for C# would have been a better option as it has better development tools and enforces better coding standards. The clear use case for powershell is in working with Microsoft products specifically as the company has powershell modules for most of its products and they offer more convenience than most other tools they expose for working with their products.

    4. CowHorseFrog Silver badge

      dos is shall we say rather limiting... so MS needed something with a bit more power, because dos doesnt cut it for automated deployments and similar boring repetitive tasks.

      1. Jou (Mxyzptlk) Silver badge

        Calling it "limited" is an understatement. Want the current date?

        set X=

        for /f "skip=1 delims=" %%x in ('wmic.exe os get localdatetime') do if not defined X set X=%%x

        rem dissect into parts

        set DATE.YEAR=%X:~0,4%

        set DATE.MONTH=%X:~4,2%

        set DATE.DAY=%X:~6,2%

        set DATE.HOUR=%X:~8,2%

        set DATE.MINUTE=%X:~10,2%

        set DATE.SECOND=%X:~12,2%

        set DATE.FRACTIONS=%X:~15,6%

        set DATE.OFFSET=%X:~21,4%

        rem Assemble what we need...

        SET TIMESTAMP=%DATE.YEAR%%DATE.MONTH%%DATE.DAY% %DATE.HOUR%:%DATE.MINUTE%:%DATE.SECOND%

        You want "grep -o" ? Hell yea, possible, I programmed such a thing in CMD, but uuuuuuuuugly.

        You want to handle a file with "&" in its name? No chance in CMD.

  8. Mike 137 Silver badge

    The real problem?

    Is the real problem PowerShell, or is it fundamentally the repository to which malicious (or even incompetent) actors can contribute without adequate vetting?

    However, crowd sourcing requires disproportionate verification effort unless the benevolence and competence of all contributors can be assured -- which, in reality, is never.

    1. Ken Hagan Gold badge

      Re: The real problem?

      For the example in the fine article, I'd expect every official MS package to be signed by MS and anyone grabbing it to have some way of validating that the package is indeed signed and, moreover, signed by the expected author.

      If your platform doesn't offer that, it is just ActiveX by another name and you have learned nothing in the last 25 years.

      1. Richard 12 Silver badge

        Re: The real problem?

        Quite clearly there is no way of verifying signatures.

        Or even finding out who uploaded it, as apparently any munchkin can put whatever they want into the author field...

    2. Jou (Mxyzptlk) Silver badge

      Re: The real problem?

      As you hint: Of course it is the open repo.

  9. Anonymous Coward
    Anonymous Coward

    I don't understand the problem..

    I mean, it's not as if anyone would write an application that pulls in third-party code in realtime on live systems... right? right?

    1. Steve Davies 3 Silver badge

      Re: I don't understand the problem..

      MS and Powershell? A marriage made in Hell.

      They issued a patch to an unrelated problem and suddenly our entire MSCS estate went TITSUP. IT took them 3 days to even ack the problem.

      We asked about what testing they had done with the patch before issuing it. All we got was the sounds of silence. Yes, we did test the patch but we didn't have a MSCS test rig at the time. They never came back to us why this patch took out half of the Powershell library when it was nothing to do with PowerShell or MSCS.

      The customer decided to move away from using Windows Server not long after.

    2. CowHorseFrog Silver badge

      Re: I don't understand the problem..

      Do you like go and its imports from the web ?

      1. Anonymous Coward
        Anonymous Coward

        Re: I don't understand the problem..

        [Original OP here]

        No. Ditto rust and nodeJS.

        Or, even bloody bourne-shell if that's how someone writes their code.

        It wasn't a specific microsoft criticism, or even necessarily a language/tool criticism. It was a criticism of any programming style that does that, and any language that promotes that way of working.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like