Replies: 2 comments
-
@ajpsec
You are free to review the source code yourself to make this determination. As a security professional with 20+ years experience in many various industry circles, I can give you the professional assurance that this client has been code reviewed extensively from a security standpoint.
A bug in the Microsoft Windows OneDrive client will not impact this client. The Windows client additionally, from all the analysis work I have done does not fully use the same published API's that this client uses - it draws on a number of unpublished|non-public interfaces. The Windows client additionally uses more Operating System | File System level integration so that features such as block-level file changes can be uploaded to content online. Additionally, if there is a security issue found on the published API's - unless that API is critically changed/modified requiring a code modification for this client, any API fix would be transparent to this client.
Feel free to do this and provide your findings. Happy to work through any issue that is found.
The readme does not state this. The readme states: "Support for National cloud deployments (Microsoft Cloud for US Government, Microsoft Cloud Germany, Azure and Office 365 operated by 21Vianet in China)" - this means the client can be configured to work in those specific environments. It is being used? Maybe - it might be, it might not be, maybe it was, but now it is not - but highly doubtful any 'concrete' reference confirming its use would ever be provided by any organisation that is working in the confines of USL4 or even USL5 environments.
During the development of this particular feature, folk who required this functionality assisted to get this implemented with extensive debug testing and confirmation of the client working within their environment. I would suspect, based on a number of factors they would have had to seek approval | review of some sort of the client to even utilise it in the first instance. I also highly doubt that any such publication of their security assessment of this client would be possible as then this gives a potential threat vector to potential bad actors to look at something else that may or may not have a flaw that currently cannot be seen or determined - but exists through some obscure workflow or compiler vulnerability. Bugs / flaws will exist ... that is the nature of software. If they are identified and can be fixed, they will be fixed. |
Beta Was this translation helpful? Give feedback.
-
@ajpsec
The OneDrive Personal Vault, on Personal Accounts, is not supported by the published public OneDrive API's As such, this client has no access to the Personal Vault. |
Beta Was this translation helpful? Give feedback.
-
Hi,
I have a query on the security controls on Onedrive content, particularly the Personal Vault.
Has any assessment been done on potential vulnerabilities of using this Linux based solution, as opposed to the native Windows version? Whilst Microsoft libraries may be used, are there any security concerns with using this Linux runtime and how it communicates with the internet Microsoft Onedrive API?
Cautious of using this, as it's effectively an Open Source Software solution. For example, if Microsoft identify and fix a vulnerability in the Windows version, how does that same fix make it into this Linux code base and get pushed out to anyone that may be using it?
It may be worth doing a security assessment and documenting the findings in case there are any concerns?
The README states it's in use by Microsoft Cloud for US Government. Did the US Government perform a security assessment and document their findings anywhere?
Would be good to reference assessment that's already been done, as this could open a security concern if bypassing the native Windows version.
Thanks in advance.
Regards
Andy
Beta Was this translation helpful? Give feedback.
All reactions