Hackers could have the ability to read, change or even delete the main databases of its customers, Microsoft warned thousands of its cloud computing customers on Thursday that included some of the largest companies of the world, claimed a report published by the news agency Reuters based on a copy of an email sent by Microsoft to a cyber security researcher.
Microsoft Azure's flagship Cosmos DB database is where the company has found the vulnerability. This vulnerability was discovered by a research team at security company Wiz as the researchers were able to access keys that control access to databases of thousands of clients of Microsoft.
Ami Luttwak, the Chief Technology Officer of Wiz, is also the former chief technology officer at Microsoft's Cloud Security Group.
The customers of Microsoft were mailed because the company cannot change the keys itself. The clients were asked by Microsoft to create new keys. According to an email it sent to Wiz, a reward of $40,000 will be paid by Microsoft to Wiz for finding the flaw and reporting it.
"We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under coordinated vulnerability disclosure," Microsoft told Reuters.
Microsoft did not have any evidence to show that the flaw had been exploited by hackers yet, the company said in its email to customers. "We have no indication that external entities outside the researcher (Wiz) had access to the primary read-write key," the email said.
“This is the worst cloud vulnerability you can imagine. It is a long-lasting secret,” Luttwak told Reuters. “This is the central database of Azure, and we were able to get access to any customer database that we wanted.”
Luttwak said his team first detected the problem, dubbed ChaosDB, on August 9 and was reported to Microsoft on August 12.
A visualization tool called Jupyter Notebook contained the flaw. This has been there for years but was enabled by default in Cosmos beginning in February. Wiz detailed the issue in a blog post after Reuters reported on the flaw.
Hackers could swipe keys of even those customers who have not been notified by Microsoft, Luttwak said. If such hacking happens hackers will have access to data bases until the keys are changed. Only those customers whose keys were visible this month, when Wiz was working on the issue, were notified by Microsoft.
"Customers who may have been impacted received a notification from us," Microsoft told Reuters but did not elaborate further.
Over the last few months, Microsoft has faced several security issues. The same suspected Russian government hackers that infiltrated SolarWinds also breached the company. Exchange email servers of the company were then hacked while a patch was being developed and a large number of hackers were involved in this successful attempt.
The company also had to repeatedly redo a fix for a printer flaw recently that allowed computer takeovers.
Compared to the previous security issues, the problems with Azure can have a wider impact on Microsoft since the company and outside security experts have been emphasizing that companies should not use most of their own infrastructure and instead depend on the cloud for greater data security.
(Source:www.businesstoday.in)
Microsoft Azure's flagship Cosmos DB database is where the company has found the vulnerability. This vulnerability was discovered by a research team at security company Wiz as the researchers were able to access keys that control access to databases of thousands of clients of Microsoft.
Ami Luttwak, the Chief Technology Officer of Wiz, is also the former chief technology officer at Microsoft's Cloud Security Group.
The customers of Microsoft were mailed because the company cannot change the keys itself. The clients were asked by Microsoft to create new keys. According to an email it sent to Wiz, a reward of $40,000 will be paid by Microsoft to Wiz for finding the flaw and reporting it.
"We fixed this issue immediately to keep our customers safe and protected. We thank the security researchers for working under coordinated vulnerability disclosure," Microsoft told Reuters.
Microsoft did not have any evidence to show that the flaw had been exploited by hackers yet, the company said in its email to customers. "We have no indication that external entities outside the researcher (Wiz) had access to the primary read-write key," the email said.
“This is the worst cloud vulnerability you can imagine. It is a long-lasting secret,” Luttwak told Reuters. “This is the central database of Azure, and we were able to get access to any customer database that we wanted.”
Luttwak said his team first detected the problem, dubbed ChaosDB, on August 9 and was reported to Microsoft on August 12.
A visualization tool called Jupyter Notebook contained the flaw. This has been there for years but was enabled by default in Cosmos beginning in February. Wiz detailed the issue in a blog post after Reuters reported on the flaw.
Hackers could swipe keys of even those customers who have not been notified by Microsoft, Luttwak said. If such hacking happens hackers will have access to data bases until the keys are changed. Only those customers whose keys were visible this month, when Wiz was working on the issue, were notified by Microsoft.
"Customers who may have been impacted received a notification from us," Microsoft told Reuters but did not elaborate further.
Over the last few months, Microsoft has faced several security issues. The same suspected Russian government hackers that infiltrated SolarWinds also breached the company. Exchange email servers of the company were then hacked while a patch was being developed and a large number of hackers were involved in this successful attempt.
The company also had to repeatedly redo a fix for a printer flaw recently that allowed computer takeovers.
Compared to the previous security issues, the problems with Azure can have a wider impact on Microsoft since the company and outside security experts have been emphasizing that companies should not use most of their own infrastructure and instead depend on the cloud for greater data security.
(Source:www.businesstoday.in)
Homepage
Send to a friend
Printable version
Share
