Home

Teams Updater Vulnerability

%3CLINGO-SUB%20id%3D%22lingo-sub-724492%22%20slang%3D%22en-US%22%3ETeams%20Updater%20Vulnerability%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-724492%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20are%20reports%20circulating%20that%20the%20Teams%20auto-update%20process%20suffers%20from%20the%20same%20unsigned%20code%20execution%20as%20other%20application%20built%20with%20Electron.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20599px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F121450iAD6342C9A6CB419B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22TeamsUpdate%20Vulnerability.png%22%20title%3D%22TeamsUpdate%20Vulnerability.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ERunning%20the%26nbsp%3B%3CFONT%3EUpdate.exe%20processStart%3C%2FFONT%3E%20with%20any%20unsigned%20application%20binary%20will%20run%20the%20unsigned%20application%20as%20signed%20code%20through%20a%20process%20chain.%20The%20Teams%20Update.exe%20is%20signed%20by%20Microsoft%20so%20the%20usual%20AppLocker%20and%20Application%20Guard%20defences%20will%20not%20block%20this%20exploit.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EHas%20anyone%20got%20any%20advice%20on%20a%20work%20around%20or%20information%20on%20whether%20Microsoft%20are%20going%20to%20plug%20this%20exploit%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-724492%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ETeams%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EUpdate%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-725460%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20Updater%20Vulnerability%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-725460%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20Microsoft%20folks%20are%20aware%20of%20this%20already%2C%20and%20with%20them%20%22owning%22%20Electron%20now%20it%20shouldn't%20take%20a%20lot%20of%20time%20to%20patch.%20The%20more%20interesting%20question%20here%20is%20why%20was%20this%20allowed%20to%20happen%20in%20the%20first%20place%2C%20considering%20security%20is%20on%20top%20of%20their%20SDL%20list.%20Guess%20we%20can%20always%20blame%20it%20on%20the%20open-source%20model%2C%20but%20whoever%20decided%20to%20use%20Electron%20should%20have%20put%20it%20through%20the%20SDL%20list%20to%20begin%20with...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-726067%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20Updater%20Vulnerability%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-726067%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20met%20some%20of%20the%20Teams%20Dev%20team%20at%20conference.%20They%20seem%20very%20well%20meaning%20and%20want%20to%20build%20a%20great%20product%20but%20I%20get%20the%20sense%20that%20there%20is%20a%20lack%20of%20appreciation%20for%20enterprise%20and%20security.%20That%20shows%20in%20the%20product.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnfortunately%20the%20Electron%20%2F%20Squirrel%20updater%20issues%20are%20not%20confined%20to%20Teams.%20Slack%20and%20a%20few%20other%20widely%20used%20products%20have%20the%20same%20issues.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20interesting%20to%20note%20that%20Electron%20have%20deprecated%20the%20use%20of%20Squirrel%20on%20Windows.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-731294%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20Updater%20Vulnerability%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-731294%22%20slang%3D%22en-US%22%3E%3CP%3EYep%2C%20the%20problem%20is%20with%20squirrel%20and%20affects%20a%20long%20list%20of%20apps.%3C%2FP%3E%3CP%3Ebut%2C%20you%20can%20hunt%20for%20them%20with%20defender%20ATP%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EProcessCreationEvents%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20where%20ProcessCommandLine%20has%20%22update.exe%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20where%20(ProcessCommandLine%20contains%20%22http%22)%20and%20(ProcessCommandLine%20contains%20%22--update%22)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20extend%20exeURL%20%3D%20case(ProcessCommandLine%20has%20%22%3D%22%2Csplit(ProcessCommandLine%2C%20%22%3D%22%2C%201)%2C%20%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EProcessCommandLine%20!has%20%22%3D%22%2C%20split(ProcessCommandLine%2C%20%22--update%20%22%2C1)%2C%20%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Default%22)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20where%20exeURL%20!%3D%20%22Default%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20sort%20by%20EventTime%20desc%20%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7Cproject%20EventTime%2C%20%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EComputerName%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EexeURL%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EFolderPath%2C%20%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EProcessCommandLine%2C%20%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EAccountName%2C%20%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EInitiatingProcessCommandLine%2C%20%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EReportId%2C%20%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EProcessId%2C%20%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EInitiatingProcessId%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethis%20query%20only%20focuses%20on%20the%20update%20part%20but%20you%20can%20easily%20change%20this%20to%20include%20the%20procstart%20param%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fblog.sec-labs.com%2F2019%2F07%2Fhunt-for-nuget-squirrel-update%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fblog.sec-labs.com%2F2019%2F07%2Fhunt-for-nuget-squirrel-update%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-731614%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20Updater%20Vulnerability%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-731614%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F160746%22%20target%3D%22_blank%22%3E%40Mattias%20Borg%3C%2FA%3E%26nbsp%3B%20Awesome.%20Great%20tip.%20I%20dig%20go%20looking%20for%20a%20Defender%20ATP%20hunt%20command%20but%20obviously%20did%20not%20look%20hard%20enough.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-733575%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20Updater%20Vulnerability%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-733575%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F45079%22%20target%3D%22_blank%22%3E%40Andrew%20Matthews%3C%2FA%3E%26nbsp%3BI've%20updated%20the%20query%20to%20catch%20all%20parameters%20used%20by%20squirrel%20and%202%20URLs%20I%20know%20are%20legit.%20Other%20apps%20using%20squirrel%20which%20are%20also%20affected%20by%20this%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CEM%3E%3CSTRONG%3EProcessCreationEvents%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%3E%3CEM%3E%3CSTRONG%3E%7C%20where%20(ProcessCommandLine%20has%20%22update.exe%22)%20or%20(ProcessCommandLine%20has%20%22squirrel.exe%22)%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%3E%3CEM%3E%3CSTRONG%3E%7C%20where%20(ProcessCommandLine%20contains%20%22http%22)%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%3E%3CEM%3E%3CSTRONG%3E%7C%20extend%20URL%3Dextract(%40%22((http%3A%7Chttps%3A)%2B%5B%5E%5Cs%5D%2B%5B%5Cw%5D)%22%2C%201%2C%20ProcessCommandLine)%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%3E%3CEM%3E%3CSTRONG%3E%7C%20where%20URL%20!in%20(%22%3CA%20href%3D%22https%3A%2F%2Fslack.com%2Fdesktop%2Fupdate%2Fwindows_x64%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fslack.com%2Fdesktop%2Fupdate%2Fwindows_x64%3C%2FA%3E%22%2C%20%22%3CA%20href%3D%22https%3A%2F%2Fdiscordapp.com%2Fapi%2Fupdates%2Fstable%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdiscordapp.com%2Fapi%2Fupdates%2Fstable%3C%2FA%3E%22)%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%3E%3CEM%3E%3CSTRONG%3E%7C%20sort%20by%20EventTime%20desc%20%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%3E%3CEM%3E%3CSTRONG%3E%7C%20project%20EventTime%2C%20%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%3E%3CEM%3E%3CSTRONG%3EComputerName%2C%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%3E%3CEM%3E%3CSTRONG%3EURL%2C%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%3E%3CEM%3E%3CSTRONG%3EFolderPath%2C%20%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%3E%3CEM%3E%3CSTRONG%3EProcessCommandLine%2C%20%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%3E%3CEM%3E%3CSTRONG%3EAccountName%2C%20%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%3E%3CEM%3E%3CSTRONG%3EInitiatingProcessCommandLine%2C%20%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%3E%3CEM%3E%3CSTRONG%3EReportId%2C%20%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%3E%3CEM%3E%3CSTRONG%3EProcessId%2C%20%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FDIV%3E%3CDIV%3E%3CEM%3E%3CSTRONG%3EInitiatingProcessId%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHappy%20Hunting!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-734626%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20Updater%20Vulnerability%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-734626%22%20slang%3D%22en-US%22%3E%3CP%3EI%20can%20confirm%20that%20MS%20has%20a%20fix%20for%20this%20already%2C%20should%20be%20rolling%20out%20shortly.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-734630%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20Updater%20Vulnerability%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-734630%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20precisely%20why%20enterprise%20administrators%20want%20a%20standard%20MSI%20installer%20for%20Teams%20that%20puts%20things%20into%20a%20properly%20secured%20location%20like%20C%3A%5CProgram%20Files%20location%20instead%20of%20the%20user's%20folder.%20Oh%2C%20sure%2C%20the%20vulnerability%20would%20still%20be%20there%20but%20a%20standard%20user%20wouldn't%20be%20able%20to%20readily%20leverage%20it%20without%20some%20other%20exploit%20or%20flaw.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-743095%22%20slang%3D%22en-US%22%3ERe%3A%20Teams%20Updater%20Vulnerability%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-743095%22%20slang%3D%22en-US%22%3EAny%20update%20about%20it%3C%2FLINGO-BODY%3E
Andrew Matthews
Contributor

There are reports circulating that the Teams auto-update process suffers from the same unsigned code execution as other application built with Electron.

TeamsUpdate Vulnerability.png

Running the Update.exe processStart with any unsigned application binary will run the unsigned application as signed code through a process chain. The Teams Update.exe is signed by Microsoft so the usual AppLocker and Application Guard defences will not block this exploit.


Has anyone got any advice on a work around or information on whether Microsoft are going to plug this exploit?

8 Replies

The Microsoft folks are aware of this already, and with them "owning" Electron now it shouldn't take a lot of time to patch. The more interesting question here is why was this allowed to happen in the first place, considering security is on top of their SDL list. Guess we can always blame it on the open-source model, but whoever decided to use Electron should have put it through the SDL list to begin with...

I have met some of the Teams Dev team at conference. They seem very well meaning and want to build a great product but I get the sense that there is a lack of appreciation for enterprise and security. That shows in the product.

 

Unfortunately the Electron / Squirrel updater issues are not confined to Teams. Slack and a few other widely used products have the same issues.

 

Also interesting to note that Electron have deprecated the use of Squirrel on Windows. 

Yep, the problem is with squirrel and affects a long list of apps.

but, you can hunt for them with defender ATP

ProcessCreationEvents
| where ProcessCommandLine has "update.exe"
| where (ProcessCommandLine contains "http") and (ProcessCommandLine contains "--update")
| extend exeURL = case(ProcessCommandLine has "=",split(ProcessCommandLine, "=", 1),
ProcessCommandLine !has "=", split(ProcessCommandLine, "--update ",1),
"Default")
| where exeURL != "Default"
| sort by EventTime desc
|project EventTime,
ComputerName,
exeURL,
FolderPath,
ProcessCommandLine,
AccountName,
InitiatingProcessCommandLine,
ReportId,
ProcessId,
InitiatingProcessId

 

this query only focuses on the update part but you can easily change this to include the procstart param

http://blog.sec-labs.com/2019/07/hunt-for-nuget-squirrel-update/

@Mattias Borg  Awesome. Great tip. I dig go looking for a Defender ATP hunt command but obviously did not look hard enough.

@Andrew Matthews I've updated the query to catch all parameters used by squirrel and 2 URLs I know are legit. Other apps using squirrel which are also affected by this

 

ProcessCreationEvents
| where (ProcessCommandLine has "update.exe") or (ProcessCommandLine has "squirrel.exe")
| where (ProcessCommandLine contains "http")
| extend URL=extract(@"((http:|https:)+[^\s]+[\w])", 1, ProcessCommandLine)
| sort by EventTime desc
| project EventTime,
ComputerName,
URL,
FolderPath,
ProcessCommandLine,
AccountName,
InitiatingProcessCommandLine,
ReportId,
ProcessId,
InitiatingProcessId

 

Happy Hunting!

 

I can confirm that MS has a fix for this already, should be rolling out shortly.

This is precisely why enterprise administrators want a standard MSI installer for Teams that puts things into a properly secured location like C:\Program Files location instead of the user's folder. Oh, sure, the vulnerability would still be there but a standard user wouldn't be able to readily leverage it without some other exploit or flaw.

Highlighted
Any update about it
Related Conversations
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
28 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
2 Replies
Early preview of Microsoft Edge group policies
Sean Lyndersay in Discussions on
65 Replies
*Updated 9/3* Syncing in Microsoft Edge Preview Channels
Elliot Kirk in Articles on
207 Replies