The vulnerability is in Microsoft Azure’s flagship Cosmos
database. A research team at security company Wiz discovered it was able to
access keys that control access to databases held by thousands of companies.
Wiz Chief Technology Officer Ami Luttwak is a former chief technology officer
at Microsoft’s Cloud Security Group.
Because Microsoft cannot change those keys by itself, it
emailed the customers Thursday telling them to create new ones. Microsoft
agreed to pay Wiz $40,000 for finding the flaw and reporting it, according to
an email it sent to Wiz. Microsoft spokespeople did not immediately comment.
Microsoft’s email to customers said it has fixed the vulnerability and that
there was no evidence the flaw had been exploited.
“We have no indication that external entities outside the
researcher (Wiz) had access to the primary read-write key," according to a
copy of the email seen by Reuters.
“This is the worst cloud vulnerability you can imagine. It
is a long-lasting secret," Luttwak told Reuters. “This is the central
database of Azure, and we were able to get access to any customer database that
we wanted." Luttwak’s team found the problem, dubbed ChaosDB, on August 9
and notified Microsoft August 12, Luttwak said.
The disclosure comes after months of bad security news for
Microsoft. The company was breached by the same suspected Russian government
hackers that infiltrated SolarWinds, who stole Microsoft source code. A recent
fix for a printer flaw that allowed computer takeovers had to be redone
repeatedly.
And an Exchange email flaw last week prompted an urgent US
government warning that customers need to install patches issued months ago
because ransomware gangs are now exploiting it.
0 comments:
Post a Comment