Microsoft warned thousands of cloud computing clients, including some of the world’s largest companies, which intruders could have the ability to read, change or even delete their main databases, according to a copy of the email and a cyber security researcher.
The vulnerability is found in the Microsoft Azure cosmos DB cosmos dat database. A research team in the WIZ security company discovered that it was able to access the keys that control access to databases in the hands of thousands of companies. The Wiz Technology Director, AMI Luttwak, is a former director of technology in the Microsoft Cloud Safety Group.
Because Microsoft can not change those keys by themselves, he sent an email to customers on Thursday by telling them to believe new ones. Microsoft agreed to pay Wiz $ 40,000 to find the defect and inform it, according to an email that is sent to WIZ.
Microsoft said it did not have immediate comments.
Microsoft’s email to customers said it has solved vulnerability and there was no evidence that the failure had been exploited. “We have no indication that external entities outside the researcher (WIZ) have access to the main reading-writing key,” the email said.
This is the worst vulnerability in the cloud that you can imagine. It is a long-term secret, Luttwak told Reuters. This is the central database of Azure, and we were able to access any customer database you want.
The Luttwak team found the problem, doubled the Chaosdb, on August 9 and notified Microsoft on August 12, Luttwak said.
The defect was in a visualization tool called Portable Jupyter, which has been available for years, but it was enabled by default in cosmos as of February. After Reuters reported on the Flaw, Wiz detailed broadcast databases into a blog post.
Luttwak said that even customers who have not been reported by Microsoft could have been sent by the attackers, giving them access until the keys are changed. Microsoft only told customers whose keys were visible this month, when Wiz was working on the subject.
Disclosure comes after months of bad security news for Microsoft. The company was raped by the same hackers suspicion of the Russian government that infiltrated solarwinds, which stole the source code of Microsoft. Then, a large number of hackers broke on Exchange’s email servers while a patch was developed.
A recent solution for a printer defect that allowed the acquisitions of the computer had to be rehaled repeatedly. Another exchange failure Last week caused an urgent government warning proxyShell. UU that customers need to install patches issued months ago because ransomware gangs are now exploiting.
The problems with Azure are especially worrisome, because the Microsoft experts and out of security have been pressuring companies to abandon most of their own infrastructure and trust the cloud for more security.
But although cloud attacks are rare, they can be more devastating when they occur. In addition, some never published.
A research laboratory hired by the Federal Government monitors all safety failures known in software and qualify them by severity. But there is no equivalent system for holes in cloud architecture, so many critical vulnerabilities remain unrelated to users, Luttwak said.