All users of Microsoft Corp's Azure cloud platform should change their digital access keys and not just the 3,300 clients who were notified this week by Microsoft about a massive flaw in the main databases stored in the cloud platform of the company, urged the researchers who discovered the flaw.
Earlier this month, researchers at Wiz, a cloud security company, worked out the possibility of them being able to gain access to the primary digital keys for most users of the Cosmos DB database system which would have allowed them to steal, change or delete of millions of records of the users.
After having been intimated to the vulnerability by Wiz, Microsoft was very quick to fix the configuration mistake that could have easily allowed any Cosmos user to breach into the databases of the company’s customers. It also notified some of the customers of its cloud services, asking them to change the keys.
Microsoft warned customers who had set up Cosmos access during the weeklong research period, the company said in a blog post on Friday. The software giant however also note in the blog post that it did not have any evidence that the flaw had been used to access customers’ data.
"Our investigation shows no unauthorized access other than the researcher activity," Microsoft wrote. "Notifications have been sent to all customers that could be potentially affected due to researcher activity," it said, potentially referring to the possibility of the technique having been leaked from Wiz.
"Though no customer data was accessed, it is recommended you regenerate your primary read-write keys," it said.
In a bulletin on Friday, stronger language was used by the United States Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, saying that it was addressing not only to those who had been notified by Microsoft.
"CISA strongly encourages Azure Cosmos DB customers to roll and regenerate their certificate key," the agency said.
This was also agreed to by the experts at Wiz which was founded by four veterans of Azure's in-house security team.
"In my estimation, it's really hard for them, if not impossible, to completely rule out that someone used this before," said one of the four, Wiz Chief Technology Officer Ami Luttwak. At Microsoft he developed tools for logging cloud security incidents.
When questioned about whether Microsoft had comprehensive logs for the two years when there was misconfiguration of the Jupyter Notebook feature or had used another way to rule out access abuse, the company refused to give a direct answer.
"We expanded our search beyond the researcher's activities to look for all possible activity for current and similar events in the past," said spokesman Ross Richendrfer, declining to address other questions.
While Wiz and Microsoft had been close collaborators on the research, but had not said how it could be sure earlier customers were safe.
"It's terrifying. I really hope than no one besides us found this bug," said one of the lead researchers on the project at Wiz, Sagi Tzadik.
(Source:www.moneycontrol.com)
Earlier this month, researchers at Wiz, a cloud security company, worked out the possibility of them being able to gain access to the primary digital keys for most users of the Cosmos DB database system which would have allowed them to steal, change or delete of millions of records of the users.
After having been intimated to the vulnerability by Wiz, Microsoft was very quick to fix the configuration mistake that could have easily allowed any Cosmos user to breach into the databases of the company’s customers. It also notified some of the customers of its cloud services, asking them to change the keys.
Microsoft warned customers who had set up Cosmos access during the weeklong research period, the company said in a blog post on Friday. The software giant however also note in the blog post that it did not have any evidence that the flaw had been used to access customers’ data.
"Our investigation shows no unauthorized access other than the researcher activity," Microsoft wrote. "Notifications have been sent to all customers that could be potentially affected due to researcher activity," it said, potentially referring to the possibility of the technique having been leaked from Wiz.
"Though no customer data was accessed, it is recommended you regenerate your primary read-write keys," it said.
In a bulletin on Friday, stronger language was used by the United States Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, saying that it was addressing not only to those who had been notified by Microsoft.
"CISA strongly encourages Azure Cosmos DB customers to roll and regenerate their certificate key," the agency said.
This was also agreed to by the experts at Wiz which was founded by four veterans of Azure's in-house security team.
"In my estimation, it's really hard for them, if not impossible, to completely rule out that someone used this before," said one of the four, Wiz Chief Technology Officer Ami Luttwak. At Microsoft he developed tools for logging cloud security incidents.
When questioned about whether Microsoft had comprehensive logs for the two years when there was misconfiguration of the Jupyter Notebook feature or had used another way to rule out access abuse, the company refused to give a direct answer.
"We expanded our search beyond the researcher's activities to look for all possible activity for current and similar events in the past," said spokesman Ross Richendrfer, declining to address other questions.
While Wiz and Microsoft had been close collaborators on the research, but had not said how it could be sure earlier customers were safe.
"It's terrifying. I really hope than no one besides us found this bug," said one of the lead researchers on the project at Wiz, Sagi Tzadik.
(Source:www.moneycontrol.com)
Homepage
Send to a friend
Printable version
Share
