SoylentNews is people
SoylentNews
'This is a cloud security nightmare," Check Point's Yaniv Balmas tells me. "It undermines the concept of cloud security. You can't prevent it, you can't protect yourself. The only one who can is the cloud provider." In this case that's Microsoft, provider of the hyper scale Azure. Check Point is on a roll—a string of disclosures for vulnerabilities detected and disclosed in recent months. We've had WhatsApp, TikTok and Zoom. Now it's Microsoft's turn. "We thought it would be good to find weak points in the integrated security in the cloud," Balmas explains. "We chose Azure as our target."
Microsoft quickly fixed the vulnerability when Check Point approached them in the fall, and customers who have patched their systems are now safe. The vulnerability is as punchy as it gets, "a perfect 10.0," Balmas says, referring to the CVE score on Microsoft's disclosure in October. "It's huge—I can't even start to describe how big it is." The reason for the hyperbole is that Balmas says his team found the first remote code execution (RCE) exploit on a major cloud platform. One user could break the cloud isolation separating themselves and others, intercepting code, manipulating programs. That isolation is the basis of cloud security, enabling the safe sharing of common hardware.
There was no detail when Microsoft patched the flaw, just a short explainer. “An attacker who successfully exploited this vulnerability could allow an unprivileged function run by the user to execute code,” the company said at the time, “thereby escaping the Sandbox.” This week, Microsoft confirmed Check Point’s report, telling me that “we released updates to address these issues in 2019.” The spokesperson added that “customers who have applied the updates are protected,” as covered at CVE-2019-1372 and CVE-2019-1234.
(Score: 4, Insightful) by aiwarrior on Friday January 31 2020, @08:38AM (2 children)
So from the article everything was as good as it gets in a security point of view. They had up to now a flawless record, and when it broke it required a very good exploit, which was fixed immediately. What else could a customer want? No security bugs? I think anybody with any knowledge of security will tell you that is probably impossible. It's in the mitigation and record you must rely and so far so good.
(Score: 4, Insightful) by driverless on Friday January 31 2020, @12:05PM
Alternatively, no-one had ever really bothered looking at their security before, and now that someone has, the very first flaw discovered is a 10.0 on the scale. So far, so Microsoft.
(Score: 2) by zeigerpuppy on Friday January 31 2020, @09:33PM
A cloud service bug that breaks isolation between users is really serious.
It suggests that there is a big problem with the Microsoft implementation of resource separation, server side.
This probably means that a simple bug fix will only work until the next hole is punched in the infrastructure.