Severe ‘Perfect 10.0’ Microsoft Flaw Confirmed: ‘This Is A Cloud Security Nightmare’
An Anonymous Coward writes:
'This is a cloud security nightmare," Check Point's Yaniv Balmas tells me. "It undermines the concept of cloud security. You can't prevent it, you can't protect yourself. The only one who can is the cloud provider." In this case that's Microsoft, provider of the hyper scale Azure. Check Point is on a roll-a string of disclosures for vulnerabilities detected and disclosed in recent months. We've had WhatsApp, TikTok and Zoom. Now it's Microsoft's turn. "We thought it would be good to find weak points in the integrated security in the cloud," Balmas explains. "We chose Azure as our target."
Microsoft quickly fixed the vulnerability when Check Point approached them in the fall, and customers who have patched their systems are now safe. The vulnerability is as punchy as it gets, "a perfect 10.0," Balmas says, referring to the CVE score on Microsoft's disclosure in October. "It's huge-I can't even start to describe how big it is." The reason for the hyperbole is that Balmas says his team found the first remote code execution (RCE) exploit on a major cloud platform. One user could break the cloud isolation separating themselves and others, intercepting code, manipulating programs. That isolation is the basis of cloud security, enabling the safe sharing of common hardware.
There was no detail when Microsoft patched the flaw, just a short explainer. "An attacker who successfully exploited this vulnerability could allow an unprivileged function run by the user to execute code," the company said at the time, "thereby escaping the Sandbox." This week, Microsoft confirmed Check Point's report, telling me that "we released updates to address these issues in 2019." The spokesperson added that "customers who have applied the updates are protected," as covered at CVE-2019-1372 and CVE-2019-1234.
Read more of this story at SoylentNews.