Shulou(Shulou.com)11/24 Report--

CTOnews.com, August 17, AquaSec (Aqua Security), a network security company, recently released a report saying that Microsoft has failed to fix a series of security vulnerabilities in PowerShell Gallery with obvious knowledge.

CTOnews.com Note: PowerShell Gallery is a package repository that contains scripts, modules, and DSC resources available for download and use.

The report reveals three major vulnerabilities in the PowerShell Gallery repository, focusing on fraud and forgery. The report says Microsoft discovered these vulnerabilities a long time ago, but has not yet implemented any fixes.

According to the blog post, CTOnews.com summarizes the timeline as follows:

September 27, 2022-the Aqua research team reported a series of vulnerabilities to MSRC.

October 20, 2022-MSRC confirms the behavior we reported.

November 2, 2022-MSRC indicates that the problem has been fixed (details of product fixes in online services cannot be provided).

December 26, 2022-the Aqua team recreated the vulnerability (unpreventable).

January 3, 2023-the Aqua research team restarts the report on MSRC defects.

January 3, 2023-MSRC confirms the reported behavior.

January 10, 2023-MSRC marks the report as resolved.

January 15, 2023-MSRC responded: "the engineering team is still working to fix typos and package details spoofing. We currently have a short-term solution for new modules released to PSGallery."

March 7, 2023-MSRC responds: "reactive repair is in place".

August 16, 2023-vulnerabilities can still be reproduced.

Related readings:

The report has not been repaired for more than 120 days, and experts accuse Microsoft of being "irresponsible" in security.

Affected by a number of data leaks, Microsoft has been accused of "not paying attention to network security".

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.