  > We reported the vulnerability to Microsoft in April and they have since fixed it as a moderate severity vulnerability. As only important and critical vulnerabilities qualify for a bounty award, we did not receive anything, except for an acknowledgement on the Security Researcher Acknowledgments for Microsoft Online Services webpage.

I guess it makes sense that a poor little indie company like Microsoft can't pay bug bounties. Surely no bad things will come out of this.

▲ n2d4 4 days ago | parent | next [-]

The important part:

  > Now what have we gained with root access to the container?

  > Absolutely nothing!

  > We can now use this access to explore parts of the container that were previously inaccessible to us. We explored the filesystem, but there were no files in /root, no interesting logging to find, and a container breakout looked out of the question as every possible known breakout had been patched.

I'm sure there are more ways to acquire root. If Microsoft pays out for one, they have to pay out for all, and it seems pretty silly to do that for something that's slightly unintended but not dangerous.

▲ bramhaag 4 days ago | parent | next [-]

  > a container breakout looked out of the question as every possible known breakout had been patched

This is the part that concerns me. It only encourages an attacker to sit on an exploit like this until a new container breakout is discovered.

▲

tptacek 4 days ago | parent | next [-]

Are you not concerned about all the other platforms that rely on containers as security boundaries between tenants? There are a lot of them.

	▲	bgwalter 3 days ago \| parent [-]
		It is hard to answer that since the stack is so convoluted. Some parts are forced on the user. Copilot is built into Microsoft Office workplace applications. If you break out of a container, do you have access to the same system that serves these applications? Who knows, it looks like a gigantic mess.

▲

whazor 4 days ago | parent | prev [-]

I expect that they run their containers more isolated as virtual machines. So they have bigger problems of there is a breakout possible.

▲ nicce 4 days ago | parent | prev | next [-]

Severity is based on impact. What was the impact here beyond single container and that specific user instance? Feels like moderate was okay, or even too high.

▲ DSMan195276 3 days ago | parent | prev | next [-]

IMO if they truly don't consider it dangerous then they shouldn't have considered it a vulnerability at all, just a non-security bug. Labeling it a moderate vuln and not paying just seems like a bad middle ground to me, as though they haven't really decided if restricted root permissions is part of the security model or not.

	▲	eddythompson80 3 days ago \| parent [-]
		Eh, I’m guessing it’s just one of those bugs that have to be categorized as security, but the design assumes that this particular security layer is leaky and is only really there for the experience rather than actual security. The container is almost certainly running with hypervisor isolation. The trust boundary is with the container. But an LLM is executing arbitrary code in a Jupyter notebook there. It could trash the container, which is not a security issue in itself (again since your boundary is hypervisor anyway) but it’s a pretty shitty experience. Suddenly copilot could trash its container and it no longer can execute code and you’re stuck until whatever session or health check kicks in to give you a new instance. So running LLM generated code/commands in a non-root user makes it easier to have a better experience. At the same time, you’ll be laughed at if you don’t categorize a root escalation when not expected as a “not a security issue”

▲ amelius 4 days ago | parent | prev [-]

Maybe this was their honeypot container.

▲ citizenpaul 4 days ago | parent | prev | next [-]

I'll never understand why people do free dev work for multinational trillion dollar conglomerates.

▲

hnthrow90348765 4 days ago | parent | next [-]

It's still good for reputation. This is by a researcher at a company, so a benefit for both of them. Plus if we didn't have bug bounty programs, they'd have to willingly work at Microsoft to do this research.

	▲	nicce 4 days ago \| parent [-]
		This could have turned badly in terms of reputation if they had tried to complain that the vulnerability should be critical, e.g. or using other ways to seek attention for not getting bounty, but current way was rather neutral way.

▲

hombre_fatal 4 days ago | parent | prev | next [-]

Could say the same thing about open source software.

▲

blendergeek 4 days ago | parent | next [-]

It's why I don't understand why people believe in "open source". Why would I contribute free dev work to a billion dollar corporation? I do believe in "Free Software" which is contributing free dev work to my fellow man for the benefit of all man mankind.

▲

CharlesW 4 days ago | parent | next [-]

This may be a misconception. "Free software" (e.g. Linux) also benefits billion-dollar corporations and "open source" also benefits all mankind.

▲

blendergeek 4 days ago | parent | next [-]

Free software and open source are two ideologies for the same thing. Free Software is the ideology of developing the software for the benefit of mankind (it's sometimes termed a "political" stance but I see it as an ethical stance). Open source is the ideology of saving money at a corporation by not paying the developers. Sure open source can benefit mankind but will only develop corporate software for money. When developing on my own time, I will focus on software that either personally benefits me or benefits other regular people.

▲

CharlesW 4 days ago | parent [-]

I applaud your choice! I just can't think of any free software examples that don't also benefit corporations.

▲

trueismywork 4 days ago | parent | next [-]

You need to think it in a different manner. When you have AGPL code, then it benefits mankind more than corporations. There's a Harvard report on value of open source to society based on how much money corporations put in.

Today linux is working nicely on desktops (even though it's not the year of linux) and is heavily dominated by corporations. The parts where linux doesn't do well are exactly parts without corporate support.

Software is becoming complex enough that it's not possible for a single company to just even maintain a compiler let alone an office suite. Its perfect ground for either one company having monopoly or an free software (not open source) being a base for masses.

	▲	kortilla 3 days ago \| parent [-]
		That’s not an example of open source that doesn’t benefit corporations. Linux is amazing for corporations.

▲

Wilder7977 4 days ago | parent | prev [-]

Lichess, the gazillion of self-hosting software. There are many examples of free software that are exclusively (or let's say predominantly) used in noncommercial environments.

In any case, I agree with the commenter, and I think that developing a software which is also used by companies is different from looking for vulnerabilities in the context and scope of a bug bounty program for a specific company. Yes, you could argue that users of said company are going to be more secure, but it's evidence t like even in this case the company is the direct beneficiary.

▲

NoOn3 4 days ago | parent | prev [-]

at least under some licenses like GPL/AGPL you get some code back.

▲

eastbound 4 days ago | parent | prev | next [-]

> Why would I contribute free dev work to a billion dollar corporation?

The billion dollars company contributed more to your startup than you do to them. Microsoft provides:

- VSCode,

- Hosts all NPM repositories. You know, the ones small startups are too lazy to cache (also because it’s much harder to cache NPM repositories than Maven) and then you re-download them at each build,

- Typescript

▲

wkat4242 4 days ago | parent [-]

Meh it depends whether you use those things of course. There's other IDEs, other languages. And Microsoft isn't doing this out of charity. A lot of the really useful plugins are not working on the open source version, so people that use them provide telemetry which is probably valuable. Or they use it as a gateway to their services like GitHub Copilot.

If a mega corporation gives you something for free it's always more beneficial to them otherwise they wouldn't do it in the first place.

▲

eastbound 4 days ago | parent [-]

So, no OSS contribution is valid unless you are using this very library?

Did Microsoft contribute more to the OSS world, or did the OSS world contribute more to Microsoft? I pardon Microsoft because they have donated Typescript, which is a true civilizational progress. You could say the OSS world has contributed to Microsoft because they’ve given them a real OS, which they didn’t have inner expertise to develop. We’re even.

Now you sound like you have a beef against large companies and would find any argument against them. Some guy once told me that I didn’t increase my employees by 30% out of benevolence, but because I must be an awful employer. See, why else would I increase employees.

This behavior is actively harmful to the rest of the world. You are depriving good actions from a “thank you” and hence you are depriving recipients of good actions from more of them. With this attitude, the world becomes exactly like you project it to be: Shitty.

	▲	bgwalter 4 days ago \| parent \| next [-]
		The open source ecosystem was perfect before Microsoft tried to meddle, assimilate and destroy. Microsoft has destroyed several open source projects by infiltrating them with mediocre MSFT employees. Microsoft bought the GitHub monopoly in order to control open source further. Microsoft then stole and violated the copyright by training "AI" on the GitHub open source. Microsoft finances influential open source organizations like OSI in order to make them more compliant and business friendly. The useful projects are tiny compared to the entire open source stack. Paying for NPM repositories is a goodwill gesture and another power grab.
	▲	wkat4242 3 days ago \| parent \| prev [-]
		> So, no OSS contribution is valid unless you are using this very library? You said Microsoft contributes to my start-up. That's only true if we actually use it. > Now you sound like you have a beef against large companies and would find any argument against them. I certainly have beef with Microsoft in particular yes. And most big tech. I work a lot with Microsoft people and they're always trying to get us to do things that benefits them and not us (and I hate the attitude of a mere supplier trying to tell us what to do). Always trying to get us to evangelize their stuff which is mostly mediocre, dumping constant rebranding campaigns on us etc. I'm not looking for arguments but I do hate the mega corporations and I don't believe in any benevolence on their side. I think the world would be much better off without them. They have way too much influence on the world. They should have none, after all they are not people and can't vote. I also don't appreciate their contributions to eg Linux and OpenStreetMap. There's always ulterior motives. Like giving running on their cloud a step up, embedding their own IP like RedHat/IBM do (and Canonical always tries but fails at). Most of the contributions are from big tech now. I don't believe in a 'win/win' scenario involving corporations. But I'm very much against unbridled capitalism and neoliberalism yes. I think it causes most of what's wrong with this world, from unequal distribution of wealth, extreme pollution, wars (influenced by the MIC) etc. Even the heavy political polarisation. The feud between the democrats and republicans is really just a proxy war for big corporate interests. Running a campaign requires so much trouble that it's no longer possible with a real grassroots movement. But anyway this is my opinion. Take it as it is or don't. You have the right to you own opinions of course! I'm aware my opinion isn't very nuanced. > This behavior is actively harmful to the rest of the world. You are depriving good actions from a “thank you” and hence you are depriving recipients of good actions from more of them. Nah. Microsoft doesn't care what I think. I'm nothing but an ant on the floor to them. Besides, they are doing this for reasons. The thank you isn't one of them. Hosting npm is peanuts for a big cloud provider, just advertising really. And it gives them a lot of metrics about the usage of libraries and from where. And VS Code, I'm sure they had a discussion about "what's in it for us in the long term" with some big envisioned benefits. You don't start a big project without that. With most of their other products it's more clear. Like edge, they clearly made this to lock corporate customers further into their ecosystem (it can be deeply locked down which corporate IT loves because they enjoy playing BOFH) and for customers for upselling to their services. It's not better than Google's, they just replaced Google's online services with their own.

▲

exe34 4 days ago | parent | prev | next [-]

I think the argument is that when big companies make use of stuff, it gets more scrutiny and occasionally they contribute back improvements, and the occasional unicorn gets actual man hours paid for improving it. So if your project gets big enough, it's beneficial. But you have to have a MIT/BSD license usually, because companies will normally stay away from GPL.

▲

victorbjorklund 4 days ago | parent | prev [-]

Why do basic science which benefits everyone else for free?

▲

dylan604 4 days ago | parent | prev | next [-]

I know maintainers of projects have been hired directly by companies using their code as it is the most expedient way forward. Others might just offer up enough money to get the maintainer to take up a few of their specific issues/requests in a way that makes it worth their while. Just because someone is working on a project that is open source does not mean that money cannot be involved in the development. The company paying that money knows that the updates released as a normal part of the project will be available to anyone else using it as well.

▲

pharrington 4 days ago | parent | prev | next [-]

It's called "I use the software, I already want to improve the software I'm using, so after I improve it I'll contribute the improvements I've already made to the broader community."

Granted, I myself have been guilty of not giving back to the open source community this way in the past, but I won't pretend that was reasonable or ethical of me!

edit: after reading some commemnts, i realize i may have meant to say "free software" instead of "open source"

▲

Disposal8433 4 days ago | parent | prev [-]

No, we can't say. I'm not an asshole, it helps people, and companies shun GPL licenses. That's not a valid comparison. Microsoft can go fuck itself, people around me love my software and it improves their lives.

	▲	tptacek 4 days ago \| parent [-]
		It's... 100% a valid comparison? The point is that doing free vulnerability research isn't irrational, not that doing open source work is bad. You're twisting yourself into a pretzel trying to keep the original argument alive.

▲

MattGaiser 4 days ago | parent | prev | next [-]

It mostly pays in career benefits. Same reason why plenty intern for free.

▲

qbit42 3 days ago | parent [-]

Who is interning for free as a software engineer?

	▲	MattGaiser 3 days ago \| parent \| next [-]
		People people who did bootcamps and thus are too risky to hire for most roles and cannot get into the standard CS hiring pipeline. Especially now that junior roles are drying up. In professions like fashion, virtually everyone seems to at some point.
	▲	koakuma-chan 3 days ago \| parent \| prev [-]
		Me

▲

jimbokun 4 days ago | parent | prev | next [-]

Well a lot of people do this kind of work to be able to commit crimes.

▲

apwell23 4 days ago | parent | prev [-]

i don't think they did the work for them. they just reported it to them.

▲ paulddraper 4 days ago | parent | prev | next [-]

As you’ll see elsewhere, “root” got them literally nothing. They tried but there was nothing to be had.

▲

wkat4242 4 days ago | parent [-]

They didn't find anything they could do with it but that container isn't there for no reason. I agree with the rating but it's nonetheless worrying. You don't leave the house you bought unlocked because there's nothing in it to steal yet.

	▲	paulddraper 3 days ago \| parent [-]
		More like leaving your front gate unlocked.

▲ 0xbadcafebee 3 days ago | parent | prev [-]

M$: If you're not going to send any money, send some swag. Make it cool and hackers will wear it, and now you have them advertising for you and possibly even want to work for you. Culture is a tool, and hackers have culture, so learn how to use it.