by WalterSobchak on 8/2/23, 11:56 PM with 153 comments
by insanitybit on 8/3/23, 1:24 AM
These vulns are cross tenancy violations, which, again, is insane. That's as bad as it gets for the cloud.
> This incident demonstrates the evolving challenges of cybersecurity in the face of sophisticated attacks.
The insane thing is that some of these vulns are as easy to discover as just running nmap. I'm sort of shocked that people haven't run into them accidentally. Hardly sophisticated.
I'm not trusting Azure with shit.
by cookiengineer on 8/3/23, 4:06 AM
You can literally kerberoast Azure AD by default, and that's a known to be used in the wild attack vector since 2014. In a cloud service. Today.
Spammers literally rent Azure VMs because they know that the IP range of azure is not processed by Outlooks/Exchanges email filters.
So often researchers did the right thing and disclosed everything correctly just to get Microsoft to say "oh yeah here is another RCE, but we don't give a damn. Oh, and there is no patch either."
It's just so ridiculous.
There's even unfixed RCEs of VBA from the Office 2013 days which still work, because the mentality of never touch a running software creeped into how Office is built (which is: have a literal copy of all outdated Office versions for the sake of compatibility).
And then people wonder why "Hackers" always say that Microsoft is insecure and why ISO27001 is now a google dork to find easy to hack victims.
by m463 on 8/3/23, 12:28 AM
I think this is because of their business model, which is to respond quickly to the market with features, not stability, security or polish.
That said, their intrusive data collection is a nightmare.
by whalesalad on 8/3/23, 12:32 AM
by Animats on 8/3/23, 2:57 AM
by ChatGTP on 8/3/23, 12:28 AM
So long as Microsoft has something interesting to offer consumers and business, security will be the last thing people care about.
Microsoft has had absolutely terrible security since I've had a computer and it's been heavily criticized the whole time. None of this has stopped their meteoric rise to extreme profitability.
by nerdjon on 8/3/23, 1:25 AM
It isn't like Azure is just ignored in the industry, time and time again I see it billed as the "non amazon aws" for companies that don't want to support AWS due to Amazon.
I feel like I hear more about GCloud issues than I do Azure issues which is concerning given how little GCloud is used even compared to Azure.
by Eisenstein on 8/3/23, 3:26 AM
> "Microsoft’s engineers should never have deployed systems that violated such basic cybersecurity principles"
I hope someone quotes this line back when they inevitably introduce a 'we want a backdoor to encryption' legislation.
by OhMeadhbh on 8/3/23, 12:39 AM
About this time there was a "security stand-down" going down at MSFT in part because several federal customers LITERALLY had to solicit an ACT OF CONGRESS in order to continue to use Win2K (or an early version of XP) with all it's known security flaws. Do not ask me about the version of Win2K in nuclear submarines. (Really. Don't ask me. That was someone else's project. I really don't know anything about it other than the rumors that were swirling around BlackHat.)
So here I am, coming in as some guy who's hip to secure software development and tools and how to convince devs to do the right thing re: security even though they're under a deadline. My third interview of the day was this guy who supposedly wrote Excel and was the "third highest ranking coder in all of MSFT" (not Simonyi, I would have recognized him.) And his first question was "So... how's your QA skills?" This isn't what I'm thinking I'm interviewing for, so I say "Pardon?" and he replies...
"This security thing is bullshit. Bill's going to eventually realize it's bullshit and in a couple months we'll go back to writing software the same way we used to. So I'm going to have to find a job for you and I'm thinking QA; that's the same thing as security."
I did not get that job.
I believe Michael Howard or Dave Leblanc got it. They went on to write a pretty decent book about secure product development and if you're a microsoft shop and have heard of the Secure Development Lifecycle, it's largely because of Michael and Dave.
(Don't worry, I was fine. I went on to work at Handspring and PalmSource and a bunch of enterprisey dev shops that were hip to the idea of developing secure code. And my life was probably filled with fewer headaches than anyone at MSFT.)
But... I remembered that interaction. Microsoft keeps saying "oh yeah! we're big on security!" And in many ways they are. MSVC (or DevStudio or .NET whizbang or whatever they call it now) have several very cool fuzzing and analysis tools. I've heard the Azure group is better about security than they were, though that's rather a low bar. I feel for them since they have a metric boat-load of legacy code and a development methodology that sort of guarantees failure.
They are also the strangest and most conceited group of developers I've met (with the possible exception of Amazon or Facebook or Netflix.) Come to think of it... what the heck is it about these FAANG companies? I bet I'm just meeting the duds. There have GOT to be decent developers in there somewhere.
They're all HUGE dev organizations and I appreciate how difficult it is to get that many developers pointing in the same direction at the same time. But at the end of the day, MSFT has a culture that really doesn't care about security. Or at least that's my take on it. I'm sure there are plenty of places in Redmond where people care about writing code that isn't buggy or vulnerable. But it's 20 years later and it still hasn't spread far enough.
So it goes.
by 1vuio0pswjnm7 on 8/3/23, 1:50 AM
Listening to the cybersecurity person interviewed here play down the significance, one is left to possibly believe cybersecurity folks rely on Microsoft to keep them employed.
According to this podcast, the only reason the government discovered this breach is because they were paying Microsoft for the "privilege" to see who was accessing their email. Most customers were not paying thus would never have discovered similar unwanted access.
If charging for this transparency is a "business model", as the podcast suggests, and there were only a relatively small number of "customers", it really makes one wonder. How much money were they making from this "business model".
by falsandtru on 8/3/23, 1:02 AM
Too long.
by warrenm on 8/3/23, 12:15 PM
If Azure is as bad as this article makes them sound, does that mean most major security certifications are also as pointless they look from the outside? Like the pointless ISO 9001 certification - which only states "we have a process; here's the process; we follow the process; we don't deviate from the process"?
by johnea on 8/3/23, 10:05 PM
https://www.pressenterprise.com/2015/06/10/cartoons-broken-w...
by jquast on 8/3/23, 3:37 AM
by 1attice on 8/3/23, 12:15 AM
I can't talk about what I saw while working there, but let's just say that I have a nervous tic when someone tells we have a team for security so you need not worry, and when can you have it done by
by jrm4 on 8/3/23, 2:34 AM
by excalibur on 8/3/23, 2:01 AM