Reuters, San Francisco, August 26-Microsoft (MSFT.O) on Thursday warned its thousands of cloud computing customers, including some of the world’s largest companies, that intruders may have the ability to read, change or even delete their main databases, according to E-mail copies and statements from cybersecurity researchers.
The vulnerability exists in the flagship Cosmos DB database of Microsoft Azure. A research team at the security company Wiz discovered that it can access the keys that control access to databases held by thousands of companies. Wiz CTO Ami Luttwak is the former CTO of Microsoft Cloud Security Group.
Because Microsoft cannot change these keys on its own, it sent an email to customers on Thursday telling them to create a new key. According to an email sent by Microsoft to Wiz, Microsoft agreed to pay Wiz $40,000 to discover the vulnerability and report it.
"We immediately fixed this issue to ensure that our customers are safe and protected. We thank security researchers for their work in coordinating vulnerability disclosure," Microsoft told Reuters.
Microsoft's email to customers stated that there is no evidence that the vulnerability has been exploited. "We have no indication that external entities other than the researcher (Wiz) can access the master read and write keys," the email said.
"This is the worst cloud vulnerability you can imagine. This is a long-standing secret," Lutvak told Reuters. "This is Azure's central database, and we can access any customer database we want."
Luttwak's team discovered the problem called ChaosDB on August 9th and notified Microsoft on August 12th, Luttwak said.
The flaw exists in a visualization tool called Jupyter Notebook, which has been available for many years, but has been enabled by default in Cosmos since February. After Reuters reported the vulnerability, Wiz detailed the issue in a blog post.
Luttwak said that even customers who have not received Microsoft notice may have their keys stolen by attackers, allowing them to access them before they are changed. While Wiz was working on this issue, Microsoft this month only told customers that their keys were visible.
Microsoft told Reuters that "customers who may be affected have received our notice," but did not elaborate.
This disclosure was made after months of bad security news from Microsoft. The company was attacked by Russian government hackers who hacked SolarWinds and stole Microsoft source code. Then, while developing the patch, a large number of hackers broke into the Exchange email server.
A printer defect that allowed the computer to take over was recently fixed and must be repeated over and over again. Another Exchange vulnerability last week prompted the US government to urgently warn customers of the need to install a patch released a few months ago because ransomware gangs are now using it.
The Azure problem is particularly disturbing, because Microsoft and external security experts have been pushing companies to abandon most of their own infrastructure and rely on the cloud to improve security.
However, although cloud attacks are more rare, once they occur, they can be more destructive. More importantly, some have never been made public.
A research laboratory contracted by the federal government tracks all known security vulnerabilities in the software and ranks them by severity. Luttwak said, but there is no equivalent system for vulnerabilities in the cloud architecture, so many critical vulnerabilities have not yet been disclosed to users.
发表评论 取消回复