Here at Patch My PC, we consider ourselves part of your operational security team, focused on fixing the vulnerabilities found in your environment. Our product integrates with powerful systems management tools that often have complete control over many, if not all, of your endpoints. We take security seriously and have a dedicated security team. If you have questions or concerns or ever need to make a report, you can contact that team directly at https://patchmypc.com/security.
Publisher Stored Secrets
Our Publisher must be configured to connect to your Intune tenant, ConfigMgr infrastructure, and/or WSUS infrastructure to publish applications and updates to your environment, depending on your use case. You might further configure Publisher to send emails via SMTP, authenticate to a proxy, or send notifications via Webhooks. These features are secured by secrets such as Azure App Registration or user credentials, which the Publisher stores on the system in an encrypted state. This encryption must be reversible by the Publisher, and as such, it can be reversed by users with access to that system.
While we intend that only local administrators would have access to run Publisher and thus decrypt these secrets, it has come to our attention that non-admins can read the registry keys and files needed to do so. Note that those non-admin users would have to be able to interactively log into the operating system running Publisher or remotely connect to it via PowerShell, WMI, and/or admin shares.
Allow Only Admins to Access Secrets
Within 12 hours of learning this, we released a new version of Publisher that ensures only local administrators can decrypt these secrets. As of this writing, the vast majority of our customers have already installed this version and have this heightened protection. If you are unable to install the latest version of Publisher, you can apply these restrictions yourself by removing permissions for the local User group on the ‘HKLM\SOFTWARE\Patch My PC\Publishing Service’ registry key and the ‘%ProgramFiles%\Patch My PC\Patch My PC Publishing Service’ folder. Note that you will likely need to disable inheritance to do so.
If you are currently using Advanced Insights on the same server as Publisher then we recommend updating to the latest version as well. If you are unable to upgrade, then navigate to the Settings page in Advanced Insights and add your license key there.
Further Securing Access to Publisher
Integration with systems management tools is a vital part of how we deliver value. Our tools are responsible for delivering applications to your environment, which makes it a target for threat actors looking to deploy malicious software. We recommend applying the same security principles to Publisher that you do for your Tier 0 or Tier 1 infrastructure, such as the systems management tools we integrate with. Consider any account with access to Publisher or the system that runs it as having rights to deploy applications to your environment. In particular, we recommend installing the Publisher on a device that is highly secure, only accessible to a small group of privileged users with local administrator rights, and is monitored for spurious external logins. You can learn more about security access in-depth strategies here: Securing privileged access Enterprise access model | Microsoft Learn.
Should We Cycle Our Secrets?
It’s never a bad idea to occasionally cycle these sorts of secrets and credentials. In this case, we believe it would only be particularly valuable if you allow non-Admin users to log in interactively or remotely to the device where Publisher is installed. We don’t expect that scenario to be common as it violates standard security practices and is not a default configuration. You may also consider cycling these if you have many users with local administrator access to the Publisher device.
What’s Next?
While we believe that the changes above, in tandem with adequately securing Publisher, are enough to protect our customer’s environments, we think we can do even better. Our engineering team is investigating ways to better protect these secrets by further restricting who has access to them and how they are stored. In addition, we have been actively working to redesign how we interact with Intune, and other services which would reduce and or remove the need for credentials to live on the device entirely.