Submitted via IRC for Bytram
Microsoft has patched flaws that attackers could exploit to compromise all Azure Red Hat Enterprise Linux (RHEL) instances.
Software engineer Ian Duffy found the flaws while building a secure RHEL image for Microsoft Azure. [...] Duffy says all Azure RHEL images are configured without GPG validation checks meaning all would accept malicious package updates on their next run of yum updates.
[...] Duffy found another vulnerability within the mandatory Microsoft Azure Linux Agent (WaLinuxAgent) which exposed API keys for debugging purposes.
[...] Duffy says he was paid less than US$3500 for the vulnerability disclosures under Microsoft's bug bounty but did not name a precise figure.
Source: The Register
(Score: 2) by zocalo on Tuesday November 29 2016, @02:28PM
UNIX? They're not even circumcised! Savages!
(Score: 2) by DannyB on Tuesday November 29 2016, @03:05PM
This has everything to do with anti trust if it was not a dumb mistake but more likely a deliberate plan. Remember this IS Microsoft we're talking about. Destroying competitors is in their DNA. It's deep. They cannot escape it.
People today are educated enough to repeat what they are taught but not to question what they are taught.
(Score: 3, Insightful) by TheRaven on Tuesday November 29 2016, @03:19PM
sudo mod me up
(Score: 2) by zocalo on Tuesday November 29 2016, @04:53PM
There are times and reasons to bash Microsoft, and even accuse them of anti-trust (the latest fun and games with Edge for users of Chrome and Firefox spring to mind), but this isn't one of them.
UNIX? They're not even circumcised! Savages!
(Score: 2) by jcross on Tuesday November 29 2016, @07:23PM
Yeah, I think you're probably right and in this case it's easy enough to presume incompetence rather than malice. A string of incidents like this could land them in hot water though, I'm just pointing out that they could stand to be a bit more cautious.
(Score: 2) by HiThere on Tuesday November 29 2016, @08:11PM
I don't find it much of a stretch...but it isn't inherently convincing, either. This is a case where I'm predisposed to believe MS did it on purpose, but I am well aware that this isn't because of evidence in this particular case.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 3, Insightful) by Gaaark on Tuesday November 29 2016, @03:23PM
I don't see how this has anything to do with anti-trust; they made a dumb mistake
Followed quickly by...
I'm actually at a loss to figure out how they managed it
Because... they did it on purpose?
Make RedHat less secure by introducing their own 'malicious packages' and saying "Hey, businesses, RH is less secure than windows!"
ANTI-TRUST!!!
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 0) by Anonymous Coward on Tuesday November 29 2016, @03:44PM
Actually even though this is labeled MS Azure, it's RedHat that manages the infrastructure for them.
This is 100% RedHat's fault. They're liable for the day to day running of these things.
(Score: 3, Insightful) by Desler on Tuesday November 29 2016, @07:48PM
So then why would they have acknowledged the problem and fixed it? That seems to be a shitty way to sabotage them.
(Score: 0) by Anonymous Coward on Wednesday November 30 2016, @11:31AM
That's not how it works. It would be "Hey, MS Redhat is less secure than genuine Redhat".
Besides, it takes a lot more than one hole to be less secure than Windows.