Microsoft beat security researchers to the ball in a dangerous Azure vulnerability. A CyberArk blog post titled ‘I Know What Azure Did Last Summer' discloses a bug in the tech giant's cloud platform that was exploitable for up to two weeks.
The researchers were able to exploit this bug in the wild to grab an Azure token from an external organization. As a precaution, CyberArk then bought 72 urehub domains with various suffixes. Tsarfari says the bug could have led to complete takeovers of Azure environments.
“While there is a lot of honey in the Cloud Computing solutions, there is also a sting to be aware of. Relying on “someone else's computer” also means relying on someone else's security measures. We've seen a lot of attacks that have focused on cloud configuration weaknesses – and seeing and understanding these vulnerabilities helps us fortify our cloud environments,” he cautioned. “But, what about the vulnerabilities we don't know of? Are we ready for those?”
A Speedy Fix
Thankfully, Microsoft also took action. The organization says it managed to discover and fix the bug before the researchers could report it.
“This issue was identified internally and we deployed a fix to address it,” a spokesperson told ThreatPost.
“Regarding the URI formats in the ExtensionsManifest, I think that it might be worth sticking to one URI format, as not doing that could be a root cause for many other bugs that could pop up over time,” he said.
Good enterprise security practices will always help to mitigate the damage of such vulnerabilities, but the trust, ultimately, has to be with Microsoft. This time, it has at least caught it early on.