10.22.22

Gemini version available ♊︎

Microsoft Edge for “Linux” Uses Outdated GPG and Then Configures it to Silence Your Distribution’s Package Security Checks

Posted in GNU/Linux, Microsoft at 7:07 am by Guest Editorial Team

Reprinted with permission from Ryan

Previously: Bruce Schneier: Microsoft Edge is Apparently a Password Stealer Too, Even on GNU/Linux

Microsoft Edge for “Linux” uses outdated GPG and then configures it to silence your distribution’s package security checks.

I got bored today and decided to look at the RPM package for Microsoft Edge for “Linux”.

If you installed it, it will add a microsoft-edge.repo file in etc/yum.repos.d with the following:

[microsoft-edge]
name=microsoft-edge
baseurl=https://packages.microsoft.com/yumrepos/edge/
enabled=1
gpgcheck=1
gpgkey=https://packages.microsoft.com/keys/microsoft.asc

As you can see, Microsoft has essentially bypassed the GPG check by enabling the check, and then instead of installing a package signing key into the RPM database, like well behaved software does, they point it at a Public Key hosted on their server.

The gist of this is that it shuts up the “package is unsigned” warning that prevents tampering, but then provides no assurances that Microsoft Edge updates are actually not tampered with.

If an attacker compromises Microsoft’s server, they could replace the key, then replace Microsoft Edge with a package containing anything (or just add malware to Edge to increase the amount of time before people realized anything was wrong with the package), and it would pass the signature check because DNF would check the URL and find the attacker-modified microsoft.asc Public Key.

Additionally, by following the URL to the Microsoft Public Key block, I noticed that they are using an outdated branch of GPG as well, which dates back to 2004 and is only maintained to address CVEs.

GPG recommends migrating to the current branch (2.3.8 is the latest as of this writing), and Mullvad VPN warns its users not to use the 1.4 branch as well.

Additionally, GPG says that the 1.4 branch is not widely used, so there’s likely fewer people legitimately studying it to fix it, and more likely just attackers looking for slobs that are still using it, like Microsoft.

This should be yet another example of how much Microsoft can be trusted to “secure” your computer.

They can’t even secure their own. They had a couple of major data breaches thanks to misconfiguration of Azure recently, which even BleepingComputer covered.

I hope that if you’re considering putting Microsoft software where it doesn’t belong, on your GNU/Linux system, then witnessing their slovenly practices should give you some second thoughts.

Just this repo alone sets up your GNU/Linux system to be seriously compromised.

The point of installing GPG keys into RPM is so that when there’s a breach of the server, it doesn’t affect users that already have the program and get alerted that there’s an update. A legitimate update which updates RPM with the new GPG key would have to be signed using the old one, meaning that a chain of trust is preserved.

When you point it at a Web site, like Microsoft does, you have no idea what you’ll get.

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

DecorWhat Else is New

  1. Links 29/03/2023: Parted 3.5.28 and Blender 3.5

    Links for the day

  2. Links 29/03/2023: New Finnix and EasyOS Kirkstone 5.2

    Links for the day

  3. IRC Proceedings: Tuesday, March 28, 2023

    IRC logs for Tuesday, March 28, 2023

  4. [Meme] Fraud Seems Standard to Standard Life

    Sirius ‘Open Source’ has embezzled and defrauded staff; now it is being protected (delaying and stonewalling tactics) by those who helped facilitate the robbery

  5. 3 Months to Progress Pension Fraud Investigations in the United Kingdom

    Based on our experiences and findings, one simply cannot rely on pension providers to take fraud seriously (we’ve been working as a group on this); all they want is the money and risk does not seem to bother them, even when there’s an actual crime associated with pension-related activities

  6. 36,000 Soon

    Techrights is still growing; in WordPress alone (not the entire site) we’re fast approaching 36,000 posts; in Gemini it’s almost 45,500 pages and our IRC community turns 15 soon

  7. Contrary to What Bribed (by Microsoft) Media Keeps Saying, Bing is in a Freefall and Bing Staff is Being Laid Off (No, Chatbots Are Not Search and Do Not Substitute Web Pages!)

    Chatbots/chaffbot media noise (chaff) needs to be disregarded; Microsoft has no solid search strategy, just lots and lots of layoffs that never end this year (Microsoft distracts shareholders with chaffbot hype/vapourware each time a wave of layoffs starts, giving financial incentives for publishers to not even mention these; right now it’s GitHub again, with NDAs signed to hide that it is happening)

  8. Full RMS Talk ('A Tour of Malicious Software') Uploaded 10 Hours Ago

    The talk is entitled "A tour of malicious software, with a typical cell phone as example." Richard Stallman is speaking about the free software movement and your freedom. His speech is nontechnical. The talk was given on March 17, 2023 in Somerville, MA.

  9. Links 28/03/2023: KPhotoAlbum 5.10.0 and QSoas 3.2

    Links for the day

  10. The Rumours Were Right: Many More Microsoft Layoffs This Week, Another Round of GitHub Layoffs

    Another round of GitHub layoffs (not the first [1, 2]; won’t be the last) and many more Microsoft layoffs; this isn’t related to the numbers disclosed by Microsoft back in January, but Microsoft uses or misuses NDAs to hide what’s truly going on

  11. All of Microsoft's Strategic Areas Have Layoffs This Year

    Microsoft’s supposedly strategic/future areas — gaming (trying to debt-load or offload debt to other companies), so-called ‘security’, “clown computing” (Azure), and “Hey Hi” (chaffbots etc.) — have all had layoffs this year; it’s clear that the company is having a serious existential crisis in spite of Trump’s and Biden’s bailouts (a wave of layoffs every month this year) and is just bluffing/stuffing the media with chaffbots cruft (puff pieces/misinformation) to keep shareholders distracted, asking them for patience and faking demand for the chaffbots (whilst laying off Bing staff, too)

  12. Links 28/03/2023: Pitivi 2023.03 is Out, Yet More Microsoft Layoffs (Now in Israel)

    Links for the day

  13. IRC Proceedings: Monday, March 27, 2023

    IRC logs for Monday, March 27, 2023

  14. Links 27/03/2023: GnuCash 5.0 and Ubuntu 20.04 LTS on Phones

    Links for the day

  15. Links 27/03/2023: Twitter Source Code Published (But Not Intentionally)

    Links for the day

  16. IRC Proceedings: Sunday, March 26, 2023

    IRC logs for Sunday, March 26, 2023

  17. Links 26/03/2023: OpenMandriva ROME 23.03, Texinfo 7.0.3, and KBibTeX 0.10.0

    Links for the day

  18. The World Wide Web is a Cesspit of Misinformation. Let's Do Something About It.

    It would be nice to make the Web a safer space for information and accuracy (actual facts) rather than a “Safe Space” for oversensitive companies and powerful people who cannot tolerate criticism; The Web needs to become more like today's Gemini, free of corporate influence and all other forms of covert nuisance

  19. Ryan Farmer: I’m Back After WordPress.com Deleted My Blog Over the Weekend

    Reprinted with permission from Ryan

  20. Civil Liberties Threatened Online and Offline

    A “society of sheeple” (a term used by Richard Stallman last week in his speech) is being “herded” online and offline; the video covers examples both online and offline, the latter being absence of ATMs or lack of properly-functioning ATMs (a growing problem lately, at least where I live)

  21. Techrights Develops Free Software to Separate the Wheat From the Chaff

    In order to separate the wheat from the chaff we’ve been working on simple, modular tools that process news and help curate the Web, basically removing the noise to squeeze out the signal

  22. Links 26/03/2023: MidnightBSD 3.0 and FreeBSD 13.2 RC4

    Links for the day

  23. IRC Proceedings: Saturday, March 25, 2023

    IRC logs for Saturday, March 25, 2023

  24. Links 26/03/2023: More TikTok Bans

    Links for the day

  25. Links 25/03/2023: Gordon Moore (of Moore's Law) is Dead

    Links for the day

  26. Links 25/03/2023: Decade of Docker, Azure Broken Again

    Links for the day

  27. [Meme] Money Deducted in Payslips, But Nothing in Pensions

    Sirius ‘Open Source’ has stolen money from staff (in secret)

  28. IRC Proceedings: Friday, March 24, 2023

    IRC Proceedings: Friday, March 24, 2023

  29. The Corporate Media is Not Reporting Large-Scale Microsoft Layoffs (Too Busy With Chaffbot Puff Pieces), Leaks Required to Prove That More Layoffs Are Happening

    Just as we noted days ago, there are yet more Microsoft layoffs, but the mainstream media gets bribed to go “gaga” over vapourware and chaffbots (making chaff like “Bill Gates Says” pieces) instead of reporting actual news about Microsoft

  30. Sirius 'Open Source' Pensiongate: Time to Issue a Warrant of Arrest and Extradite the Fake 'Founder' of Sirius

    Sirius ‘Open Source’ is collapsing, but that does not mean that it can dodge accountability for crimes (e.g. money that it silently stole from its staff since at least 12 years ago)

RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts