Submitted via IRC for Bytram
Microsoft has patched flaws that attackers could exploit to compromise all Azure Red Hat Enterprise Linux (RHEL) instances.
Software engineer Ian Duffy found the flaws while building a secure RHEL image for Microsoft Azure. [...] Duffy says all Azure RHEL images are configured without GPG validation checks meaning all would accept malicious package updates on their next run of yum updates.
[...] Duffy found another vulnerability within the mandatory Microsoft Azure Linux Agent (WaLinuxAgent) which exposed API keys for debugging purposes.
[...] Duffy says he was paid less than US$3500 for the vulnerability disclosures under Microsoft's bug bounty but did not name a precise figure.
Source: The Register
(Score: 2) by zocalo on Tuesday November 29 2016, @04:53PM
There are times and reasons to bash Microsoft, and even accuse them of anti-trust (the latest fun and games with Edge for users of Chrome and Firefox spring to mind), but this isn't one of them.
UNIX? They're not even circumcised! Savages!
(Score: 2) by jcross on Tuesday November 29 2016, @07:23PM
Yeah, I think you're probably right and in this case it's easy enough to presume incompetence rather than malice. A string of incidents like this could land them in hot water though, I'm just pointing out that they could stand to be a bit more cautious.
(Score: 2) by HiThere on Tuesday November 29 2016, @08:11PM
I don't find it much of a stretch...but it isn't inherently convincing, either. This is a case where I'm predisposed to believe MS did it on purpose, but I am well aware that this isn't because of evidence in this particular case.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.