SoylentNews is people
SoylentNews
'This is a cloud security nightmare," Check Point's Yaniv Balmas tells me. "It undermines the concept of cloud security. You can't prevent it, you can't protect yourself. The only one who can is the cloud provider." In this case that's Microsoft, provider of the hyper scale Azure. Check Point is on a roll—a string of disclosures for vulnerabilities detected and disclosed in recent months. We've had WhatsApp, TikTok and Zoom. Now it's Microsoft's turn. "We thought it would be good to find weak points in the integrated security in the cloud," Balmas explains. "We chose Azure as our target."
Microsoft quickly fixed the vulnerability when Check Point approached them in the fall, and customers who have patched their systems are now safe. The vulnerability is as punchy as it gets, "a perfect 10.0," Balmas says, referring to the CVE score on Microsoft's disclosure in October. "It's huge—I can't even start to describe how big it is." The reason for the hyperbole is that Balmas says his team found the first remote code execution (RCE) exploit on a major cloud platform. One user could break the cloud isolation separating themselves and others, intercepting code, manipulating programs. That isolation is the basis of cloud security, enabling the safe sharing of common hardware.
There was no detail when Microsoft patched the flaw, just a short explainer. “An attacker who successfully exploited this vulnerability could allow an unprivileged function run by the user to execute code,” the company said at the time, “thereby escaping the Sandbox.” This week, Microsoft confirmed Check Point’s report, telling me that “we released updates to address these issues in 2019.” The spokesperson added that “customers who have applied the updates are protected,” as covered at CVE-2019-1372 and CVE-2019-1234.
(Score: 2) by jmichaelhudsondotnet on Friday January 31 2020, @03:36PM (3 children)
A bug in the cloud is fundamentally different from a bug in a program, an OS, a processor, a LAN, a switch, a router or a PC.
A bug in the cloud affects all of those things, your virtual processor, your virtual OS, your virtual LAN, your virtual switch, your virtual router and your virtual interface to the hypervisor *that you percive out of laziness as an extension of your PC.*
A bug in the cloud, could also be activated and deactivated by the provider any time they so choose, after it is considered by 100% of the people patched, and how could you know?
What reporter is going to take your story that you saw this bug still active 6 months from now?
None.
What reporter is asking the question, how do we know no one else knew about this prior to 3rd party researchers finding it? How do we know one of those researchers didn't sit on it and abuse it for a month prior to telling the company?
The chain of trust here is first of all very, very long, second of all, down at the bottom of this root of trust in this case 'Azure' and the Unit 8200 all stars that operate it is a vast amount of power. True power. To turn all of your cloud computers off with a switch, to know everything on your cloud computers, to turn your cloud computers into haunted houses with the flick of a switch, to even specifically interfere with a single page load to inject a psychological operation on a target.
But the general consensus I feel, not on SN, but in the more Hackernews, Wired space, like usual, this boundless trust that it can't be that bad.
But in every case it has been that bad, usually worse. But for some reason this article reads like some big win, there was a problem we fixed it gobacktosleep, and I find this level of analysis profoundly dangerous, shallow, and technically incompetent. Actually propaganda, or outright marketing like other itt say.
For an institution like any military to outsource that level of control to another country is an act of submission, fealty, and subjugation. And outright stupidity, caprica style.
https://archive.is/f4TVo [archive.is]
https://archive.is/5II5U [archive.is]
https://archive.is/xXs6r [archive.is]
https://archive.is/5SRMf [archive.is] this one is off topic but everyone loves the scottish
(Score: 3, Informative) by DannyB on Friday January 31 2020, @05:19PM (2 children)
It's bugs all the way down.
You can't trust your cloud provider.
You can't trust their OS
You can't trust their hardware.
You can't trust the OS installed on your own hardware.
You can't trust the firmware on your hardware.
You can't trust Intel Management Extensions on your own hardware
The Psi Corps is your friend. Trust the corps!
The lower I set my standards the more accomplishments I have.
(Score: 2) by jmichaelhudsondotnet on Saturday February 01 2020, @03:49PM (1 child)
I thought I would say what I trusted then I realized that is a bad idea.
Only what can be audited can be trusted, so it is clear that *someone* somewhere intentionally does not want this, and feels very strongly about it.
And that is koolaid I won't drink, so maybe we can be friends and not trust each other and everything, together.
Good times, this timeline is so wonderful, I am so glad biff was able to win the lottery.
https://archive.is/ws6XQ [archive.is]
(Score: 2) by DannyB on Monday February 03 2020, @02:56PM
The Auditor can't be trusted.
The lower I set my standards the more accomplishments I have.