Microsoft has warned thousands of users of its cloud services that attackers could be able to read, modify, and even delete stored information. Potential victims include global corporations.
The vulnerability was discovered in the "flagship" Cosmos DB database of the most popular cloud service Microsoft Azure. Experts from cybersecurity company Wiz were able to obtain keys to control access to databases of thousands of companies. Notably, former CTO of Microsoft Cloud Security Group Ami Luttwak is one of the founders and CTO of Wiz.
Since Microsoft cannot change the keys on its own, they sent out alerts to affected companies urging them to create new ones, and Wiz will be paid $ 40,000 (not particularly large for such a business) for discovering the vulnerability.
According to Microsoft, the company immediately "healed" the problem and there is no evidence that other than the researchers at Wiz, anyone tried to exploit the security hole. According to Luttwak, this is the worst vulnerability imaginable — researchers could access any company's data in a "central" Azure database. According to him, the problem, called ChaosDB, was discovered on August 9, and on August 12, the company reported it to Microsoft.
The source of the problem was the Jupyter Notebook visualization tool, which has been available for many years, but has only been activated by default since February this year. Luttwak also noted that the keys should be changed even for those users who were not notified by Microsoft - it is possible that their keys could also be accessed. Microsoft says it has already notified everyone who follows.
The latest vulnerability is just one in a string of Microsoft problems in recent months. That said, the Azure issues are of particular concern, as Microsoft and third-party experts strongly urge businesses to move to "safer" cloud services, ditching their own storage infrastructure.
0 Comments:
Post a Comment
Your comment and facebook share will be appreciated