'This is a cloud security nightmare," Check Point's Yaniv Balmas tells me. "It undermines the concept of cloud security. You can't prevent it, you can't protect yourself. The only one who can is the cloud provider." In this case that's Microsoft, provider of the hyper scale Azure. Check Point is on a roll—a string of disclosures for vulnerabilities detected and disclosed in recent months. We've had WhatsApp, TikTok and Zoom. Now it's Microsoft's turn. "We thought it would be good to find weak points in the integrated security in the cloud," Balmas explains. "We chose Azure as our target."
Microsoft quickly fixed the vulnerability when Check Point approached them in the fall, and customers who have patched their systems are now safe. The vulnerability is as punchy as it gets, "a perfect 10.0," Balmas says, referring to the CVE score on Microsoft's disclosure in October. "It's huge—I can't even start to describe how big it is." The reason for the hyperbole is that Balmas says his team found the first remote code execution (RCE) exploit on a major cloud platform. One user could break the cloud isolation separating themselves and others, intercepting code, manipulating programs. That isolation is the basis of cloud security, enabling the safe sharing of common hardware.
There was no detail when Microsoft patched the flaw, just a short explainer. “An attacker who successfully exploited this vulnerability could allow an unprivileged function run by the user to execute code,” the company said at the time, “thereby escaping the Sandbox.” This week, Microsoft confirmed Check Point’s report, telling me that “we released updates to address these issues in 2019.” The spokesperson added that “customers who have applied the updates are protected,” as covered at CVE-2019-1372 and CVE-2019-1234.
(Score: 1, Touché) by Anonymous Coward on Friday January 31 2020, @08:00AM
Thank goodness I run Ubuntu! Why are Microserf users so, um, gullible? Stupid and gullible?
(Score: 4, Insightful) by aiwarrior on Friday January 31 2020, @08:38AM (2 children)
So from the article everything was as good as it gets in a security point of view. They had up to now a flawless record, and when it broke it required a very good exploit, which was fixed immediately. What else could a customer want? No security bugs? I think anybody with any knowledge of security will tell you that is probably impossible. It's in the mitigation and record you must rely and so far so good.
(Score: 4, Insightful) by driverless on Friday January 31 2020, @12:05PM
Alternatively, no-one had ever really bothered looking at their security before, and now that someone has, the very first flaw discovered is a 10.0 on the scale. So far, so Microsoft.
(Score: 2) by zeigerpuppy on Friday January 31 2020, @09:33PM
A cloud service bug that breaks isolation between users is really serious.
It suggests that there is a big problem with the Microsoft implementation of resource separation, server side.
This probably means that a simple bug fix will only work until the next hole is punched in the infrastructure.
(Score: 0, Troll) by Mojibake Tengu on Friday January 31 2020, @09:17AM
The so called cloud security is a mirror image to health conditions of das Konzentrationslager. Most deaths come from infections.
How could liberals even conceive that model?
Rust programming language offends both my Intelligence and my Spirit.
(Score: 3, Interesting) by Bot on Friday January 31 2020, @11:52AM (6 children)
Cloud security is not attainable because you don't have physical access to the hardware anyway nor actual legal protection against the OMG national security excuse nor a solid guarantee you are able to get your data back at a reasonable price should you need it.
So I drift OT.
Why would a perfect 10 need any decimal? What kind of notation is that? There can be a perfect 10.2 or 9.7? Why put on a scale vulnerabilities when it is already enough to classify them by the usual bunch of definitions? local/remote, privilege escalation, DoS, code execution, side channel attack...
Account abandoned.
(Score: 3, Informative) by Gaaark on Friday January 31 2020, @12:06PM
'cos Perfect 10.0 attacks against Microsoft can go to 11!
--- Please remind me if I haven't been civil to you: I'm channeling MDC. I have always been here. ---Gaaark 2.0 --
(Score: 3, Informative) by driverless on Friday January 31 2020, @12:16PM
To distinguish it from Adobe. Their security holes go to 11.
(Score: 0) by Anonymous Coward on Friday January 31 2020, @12:40PM
It's a 10.0 because this is the first release of the perfect fix.
(Score: 0) by Anonymous Coward on Friday January 31 2020, @07:30PM
10.0 has two holes as opposed to one you get with just 10
(Score: 2) by fido_dogstoyevsky on Friday January 31 2020, @09:03PM (1 child)
Because it's the beta version.
It's NOT a conspiracy... it's a plot.
(Score: 2) by fido_dogstoyevsky on Friday January 31 2020, @09:05PM
Fatfingered again; meant to say
"It's 10.0 because it's the beta version."
It's NOT a conspiracy... it's a plot.
(Score: 5, Informative) by driverless on Friday January 31 2020, @11:55AM (2 children)
Dear readers,
It has been brought to our attention that there is a serious typo in the article. The line:
should have read:
Please update your references.
Love,
The editors.
(Score: 3, Funny) by DannyB on Friday January 31 2020, @05:16PM (1 child)
A cloud provider doesn't need to use hardware.
They can put all their hardware in the cloud at a different cloud provider.
Eventually all cloud providers can do this until there is no hardware in any cloud provider.
Then you won't have to worry about not owning the hardware.
The server will be down for replacement of vacuum tubes, belts, worn parts and lubrication of gears and bearings.
(Score: 0) by Anonymous Coward on Saturday February 01 2020, @02:42AM
Same with the data.
(Score: 2) by jmichaelhudsondotnet on Friday January 31 2020, @03:36PM (3 children)
A bug in the cloud is fundamentally different from a bug in a program, an OS, a processor, a LAN, a switch, a router or a PC.
A bug in the cloud affects all of those things, your virtual processor, your virtual OS, your virtual LAN, your virtual switch, your virtual router and your virtual interface to the hypervisor *that you percive out of laziness as an extension of your PC.*
A bug in the cloud, could also be activated and deactivated by the provider any time they so choose, after it is considered by 100% of the people patched, and how could you know?
What reporter is going to take your story that you saw this bug still active 6 months from now?
None.
What reporter is asking the question, how do we know no one else knew about this prior to 3rd party researchers finding it? How do we know one of those researchers didn't sit on it and abuse it for a month prior to telling the company?
The chain of trust here is first of all very, very long, second of all, down at the bottom of this root of trust in this case 'Azure' and the Unit 8200 all stars that operate it is a vast amount of power. True power. To turn all of your cloud computers off with a switch, to know everything on your cloud computers, to turn your cloud computers into haunted houses with the flick of a switch, to even specifically interfere with a single page load to inject a psychological operation on a target.
But the general consensus I feel, not on SN, but in the more Hackernews, Wired space, like usual, this boundless trust that it can't be that bad.
But in every case it has been that bad, usually worse. But for some reason this article reads like some big win, there was a problem we fixed it gobacktosleep, and I find this level of analysis profoundly dangerous, shallow, and technically incompetent. Actually propaganda, or outright marketing like other itt say.
For an institution like any military to outsource that level of control to another country is an act of submission, fealty, and subjugation. And outright stupidity, caprica style.
https://archive.is/f4TVo [archive.is]
https://archive.is/5II5U [archive.is]
https://archive.is/xXs6r [archive.is]
https://archive.is/5SRMf [archive.is] this one is off topic but everyone loves the scottish
(Score: 3, Informative) by DannyB on Friday January 31 2020, @05:19PM (2 children)
It's bugs all the way down.
You can't trust your cloud provider.
You can't trust their OS
You can't trust their hardware.
You can't trust the OS installed on your own hardware.
You can't trust the firmware on your hardware.
You can't trust Intel Management Extensions on your own hardware
The Psi Corps is your friend. Trust the corps!
The server will be down for replacement of vacuum tubes, belts, worn parts and lubrication of gears and bearings.
(Score: 2) by jmichaelhudsondotnet on Saturday February 01 2020, @03:49PM (1 child)
I thought I would say what I trusted then I realized that is a bad idea.
Only what can be audited can be trusted, so it is clear that *someone* somewhere intentionally does not want this, and feels very strongly about it.
And that is koolaid I won't drink, so maybe we can be friends and not trust each other and everything, together.
Good times, this timeline is so wonderful, I am so glad biff was able to win the lottery.
https://archive.is/ws6XQ [archive.is]
(Score: 2) by DannyB on Monday February 03 2020, @02:56PM
The Auditor can't be trusted.
The server will be down for replacement of vacuum tubes, belts, worn parts and lubrication of gears and bearings.
(Score: 1, Insightful) by Anonymous Coward on Friday January 31 2020, @06:08PM
So first the article says the cloud provider has to fix it themselves:
and then that the customers have to:
So we can't fix it but if we don't update we're not safe?
(Score: 2) by jmichaelhudsondotnet on Monday February 03 2020, @09:35PM
The auditor must submit replayable verifiable results, no one takes anyone's word for anything in security or the apparently anywhere.