"The whole exercise is a fine example of a supply chain attack"
One of the many attack vectors.
Does this exploit work on all operating systems?
Maybe the OS handling of fonts is an issue as well as a compromised supply chain.
Just a thought
Crooks mounted a crypto-mining scam after hacking into a supplier of an unnamed PDF editor software vendor. Microsoft has reported that as-yet-unidentified hackers compromised some font packages installed by a PDF editor app. The hack was used to push two types of crypto-currency mining app, the cybercrime du jour. Redmond's …
Part of this is probably the way apps/programs are installed on Windows. User clicks "install", gets "yes/no" popup and off it runs. I remember some programs decades ago that wanted "yes/no" (and had an option to see the file particulars) for every executable installed. But.. everyone wants "fast" and gives their trust freely with no thinking involved.
I can understand (to a point) that AV won't always catch this stuff and bring it to the attention of the user, but still one would think that mining apps have some sort of code that's a give away in them.
Presumably the same thing could occur with the various package managers like apt or rpm? They seem to pull down a load of dependencies on the fly, so all somebody has to do is compromise some frequently used library package or whatever, and bingo.
We've also talked about dynamically linked JavaScript on websites, where the code is hosted elsewhere.
Seems like there are many opportunities for supply chain type problems to occur.
@RobinCM
I suspect your downvote came either from someone whose bread is buttered by remote hosted JavaScript or some linux fanatic (I'm one but not a downvote at all).
No one likes it when you expose how shaky the whole house of cards has become...it'd be a really major pita to fix all this. And no, signing isn't going to work any better than it did for the recipients of Stuxnet.
"If buildings were built the way programmers code, the first woodpecker to come along would destroy the world".
Any honest programmer who understands how systems work won't be able to disagree with the above.
Presumably the same thing could occur with the various package managers like apt or rpm?
Yes, or the ones that pull source components, such as Maven and NPM.
Or a developer's account for some popular open-source package is compromised, and malware is injected into the source.
Supply-chain attacks are becoming more common, and will continue to grow.
Hard to read that Microsoft summary of the 'incident' with all of the 'look how fantastic MS Win Def ATP was'. But it does state:
> "The malicious MSI file was installed silently as part of a set of font packages; it was mixed in with other legitimate MSI files downloaded by the app during installation."
Wondered if there was a CVE for this or if there's other mitigation not mentioned - silent download and installation of an unsigned MSI file during signed app installation. That seems a much bigger problem to solve than waxing lyrical about how good your AV product is.