This Week in Security: Microsoft on Microsoft, Register Your Domains, Linux on ARM, and FreeBSD Joins the File Cache Club

Microsoft has fixed a critical bug in GitHub that could allow attackers to steal user authentication tokens via the embedded web-based Visual Studio Code editor, addressing a significant security vulnerability.

This week, Microsoft announced it has patched a bug in GitHub’s web-based VS Code environment that could have been exploited to exfiltrate user tokens with access to all repositories. The flaw was discovered by security researcher Ammar Askar, who detailed how manipulating the embedded web view could lead to token theft. Additionally, Microsoft’s open-source Azure repositories were temporarily disabled after a supply chain attack involving the Miasma worm compromised packages, notably the Microsoft Durabletask package, which was previously targeted in May and had over 400,000 downloads per month.

In other news, Julian B demonstrated how unregistered domain names embedded in TP-Link firmware could be exploited, leading to potential security risks. He registered a domain referenced in firmware updates and received device check-in requests, raising concerns about the implications of unregistered domains in device security. Meanwhile, OpenSSL revealed new vulnerabilities, including a high-severity use-after-free bug affecting PKCS7 handling, which could allow remote code execution. The researcher known as NightmareEclipse, now operating as MSNightmare, released new exploits targeting Windows Defender and BitLocker, despite Microsoft’s earlier threats of criminal investigations against such disclosures.

Implications of Recent Security Flaws and Fixes

The fixes and discoveries this week highlight ongoing risks in software supply chains, cloud platform security, and device firmware integrity. Microsoft’s patch for GitHub token theft mitigates a critical attack vector that could compromise multiple repositories and developer environments. The TP-Link domain issue underscores the importance of proper domain management in IoT device security. The OpenSSL vulnerabilities pose a potential threat to applications handling encrypted communications, and the return of researcher MSNightmare’s exploits illustrates the persistent tension between vulnerability disclosure and corporate security policies. Collectively, these incidents emphasize the need for vigilant security practices across development, deployment, and device management.

Recent Trends in Supply Chain and Software Vulnerabilities

Supply chain attacks have become increasingly prevalent, with Microsoft’s open-source packages being a notable target. The Miasma worm’s recent activity, involving the compromise of the Microsoft Durabletask package, exemplifies how malicious actors leverage trusted repositories to distribute malware. Microsoft’s response—disabling affected repositories—aims to contain the threat but disrupts legitimate development workflows. Simultaneously, vulnerabilities in widely used libraries like OpenSSL continue to surface, exposing weaknesses in cryptographic implementations. The return of known exploit developers like NightmareEclipse, now MSNightmare, signals ongoing challenges in balancing security research, disclosure, and corporate response, especially amid evolving policies and public debates.

“The bug in GitHub’s embedded VS Code environment could have allowed malicious actors to exfiltrate user tokens and access all repositories.”

— Ammar Askar

Unresolved Questions and Ongoing Risks

It is not yet clear how widespread the impact of the OpenSSL bugs will be or whether additional vulnerabilities remain undisclosed. The full extent of the TP-Link domain issue and its potential exploitation risks are still under investigation. Microsoft’s long-term response to the return of researcher MSNightmare and the potential for further exploits remains uncertain, especially as the industry debates policies around vulnerability disclosure and responsible reporting.

Next Steps for Security Improvements and Monitoring

Microsoft is expected to release further patches addressing the OpenSSL vulnerabilities and any remaining issues in GitHub’s security. Security teams should monitor for updates from affected software vendors and review their supply chain security measures. TP-Link and other IoT device manufacturers may implement stricter domain validation and firmware security protocols. Researchers and organizations will likely continue tracking exploits from MSNightmare and similar actors, emphasizing the importance of proactive vulnerability management and responsible disclosure practices.

DeskFX Free Audio Effects & Audio Enhancer Software [PC Download]

Transform audio playing via your speakers and headphones

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

How does the GitHub token vulnerability affect me?

If you use GitHub’s web-based VS Code or have repositories linked to the affected environment, your tokens could have been at risk of theft before the patch. It’s recommended to review and revoke any tokens issued prior to the fix and enable two-factor authentication.

What risks do unregistered domains embedded in IoT device firmware pose?

Unregistered domains can be exploited by attackers to intercept device communications, redirect traffic, or perform man-in-the-middle attacks. Proper domain registration and validation are essential for device security.

Are OpenSSL vulnerabilities likely to impact web servers?

Most web servers do not directly use the affected PKCS7 functions, but applications that handle encrypted email or digital signatures could be vulnerable. Updating OpenSSL is strongly recommended to mitigate risks.

Will Microsoft address the exploits released by MSNightmare?

Microsoft typically releases security patches during Patch Tuesday; however, some exploits may not be fixed immediately. Users should apply updates promptly and monitor official advisories for further patches.

Source: Hackaday