{"id":109072,"date":"2023-11-28T07:00:00","date_gmt":"2023-11-28T15:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=109072"},"modified":"2023-11-28T11:17:01","modified_gmt":"2023-11-28T19:17:01","slug":"20231128-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20231128-00\/?p=109072","title":{"rendered":"A reported vulnerability about getting paid apps for free is really about paying for free apps"},"content":{"rendered":"<p>A security vulnerability report arrived showing how it is possible to get paid apps for free from the Microsoft Store.<\/p>\n<ul>\n<li>Open the Microsoft Store app and search for WinSCP.<\/li>\n<li>Observe that there are three versions of WinSCP in the Store, <a href=\"https:\/\/apps.microsoft.com\/store\/detail\/winscp\/9P0PQ8B65N8X\"> one selling for $9.99<\/a> and another for $4.59, and another for $6.69.<\/li>\n<li>Go to a command prompt and type <tt>winget install WinSCP<\/tt><\/li>\n<li>Observe that WinSCP is installed without requesting payment.<\/li>\n<\/ul>\n<p>The vulnerability report was actually much longer, but it consisted mostly of breathless prose saying how this vulnerability could result in disclosure of confidential information by employees who use the program to transfer files, some of which might be malicious.<\/p>\n<p>Okay, first, let&#8217;s address the breathless prose: It&#8217;s like saying, &#8220;The customer bought printer paper from your office supply store. The customer might use that paper to print a confidential document and then smuggle it out of the building. This is a security vulnerability in your office supply store!&#8221; I mean, the customer bought the paper fair and square. They used valid funds, not tied to a stolen credit card. It&#8217;s not the office supply store&#8217;s fault that the paper could be used to print a confidential document that is smuggled out of the building. And even without printer paper, the customer could use their camera to take a picture of a confidential document. And if the employees don&#8217;t install WinSCP, they can still disclose confidential information by emailing the documents instead of using WinSCP to transfer them. It&#8217;s not clear how it&#8217;s the fault of Windows that a rogue employee can use WinSCP to disclose confidential information.<\/p>\n<p>As for the issue of installing paid software for free: Look again at the program in question. WinSCP is actually free software. <a href=\"https:\/\/winscp.net\/\">Go to the home page<\/a>, and right there top and center it says &#8220;Free Award-Winning File Manager&#8221;, and under it is a big green <i>Download Now<\/i> button.<\/p>\n<p>What you&#8217;re seeing is people taking this free software, repackaging it, and trying to sell it. Repackaging WinSCP is <a href=\"https:\/\/winscp.net\/eng\/docs\/custom_distribution\"> explicitly supported<\/a>, providing the redistribution adheres to <a href=\"https:\/\/winscp.net\/eng\/docs\/license\"> the WinSCP license<\/a>.<\/p>\n<p>One of those repackaged WinSCP apps is in fact the official one from the author of WinSCP. You can buy it from Martin Prikryl to provide financial support to the WinSCP project.<\/p>\n<p>The other two WinSCP apps look sketchier. For example, they list English as the only supported language, yet the privacy policy is written in Chinese. And looking at other offerings from those publishers suggests that their portfolios consist of repackaged free software. I didn&#8217;t do a thorough analysis, but I checked two other offerings from those publishers and they were both software that was already free to download directly from the original authors.<\/p>\n<p>The finder should have been suspicious when there were <i>three<\/i> copies of the product in the Store from different publishers. Why would a piece of software have three publishers?<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Try shopping around.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[26],"class_list":["post-109072","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-other"],"acf":[],"blog_post_summary":"<p>Try shopping around.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/109072","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=109072"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/109072\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=109072"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=109072"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=109072"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}