Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Friday January 31 2020, @05:43AM   Printer-friendly
from the oops dept.

https://www.forbes.com/sites/zakdoffman/2020/01/30/severe-perfect-100-microsoft-flaw-confirmed-this-is-a-cloud-security-nightmare/#7b5493dfb4a4

'This is a cloud security nightmare," Check Point's Yaniv Balmas tells me. "It undermines the concept of cloud security. You can't prevent it, you can't protect yourself. The only one who can is the cloud provider." In this case that's Microsoft, provider of the hyper scale Azure. Check Point is on a roll—a string of disclosures for vulnerabilities detected and disclosed in recent months. We've had WhatsApp, TikTok and Zoom. Now it's Microsoft's turn. "We thought it would be good to find weak points in the integrated security in the cloud," Balmas explains. "We chose Azure as our target."

Microsoft quickly fixed the vulnerability when Check Point approached them in the fall, and customers who have patched their systems are now safe. The vulnerability is as punchy as it gets, "a perfect 10.0," Balmas says, referring to the CVE score on Microsoft's disclosure in October. "It's huge—I can't even start to describe how big it is." The reason for the hyperbole is that Balmas says his team found the first remote code execution (RCE) exploit on a major cloud platform. One user could break the cloud isolation separating themselves and others, intercepting code, manipulating programs. That isolation is the basis of cloud security, enabling the safe sharing of common hardware.

There was no detail when Microsoft patched the flaw, just a short explainer. “An attacker who successfully exploited this vulnerability could allow an unprivileged function run by the user to execute code,” the company said at the time, “thereby escaping the Sandbox.” This week, Microsoft confirmed Check Point’s report, telling me that “we released updates to address these issues in 2019.” The spokesperson added that “customers who have applied the updates are protected,” as covered at CVE-2019-1372 and CVE-2019-1234.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by jmichaelhudsondotnet on Saturday February 01 2020, @03:49PM (1 child)

    by jmichaelhudsondotnet (8122) on Saturday February 01 2020, @03:49PM (#952359) Journal

    I thought I would say what I trusted then I realized that is a bad idea.

    Only what can be audited can be trusted, so it is clear that *someone* somewhere intentionally does not want this, and feels very strongly about it.

    And that is koolaid I won't drink, so maybe we can be friends and not trust each other and everything, together.

    Good times, this timeline is so wonderful, I am so glad biff was able to win the lottery.

    https://archive.is/ws6XQ [archive.is]

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by DannyB on Monday February 03 2020, @02:56PM

    by DannyB (5839) Subscriber Badge on Monday February 03 2020, @02:56PM (#953133) Journal

    The Auditor can't be trusted.

    --
    People today are educated enough to repeat what they are taught but not to question what they are taught.