As early as August 27, it was reported that Microsoft’s email and a network security researcher said that the company warned thousands of cloud computing customers on Thursday, including the world’s largest enterprises, intruders. There may be ability to read, change, even delete its main database.
This vulnerability appears in Microsoft Azure’s flagship product COSMOS database. A research team of security company WIZ found that it can access keys that control thousands of companies accessing database access rights. Amiluttwak, Chief Technology Officer, is the former Chief Technology Officer of Microsoft Cloud Safety Group.
Since Microsoft can’t change these keys themselves, the company sent an email on Thursday to inform them to create a new key. Microsoft sent to WIZ email display, Microsoft agreed to pay $ 40,000 to WIZ, used to reward it discovered and reported this vulnerability.
Microsoft spokesperson refused to review immediately.
Microsoft wrote in email sent to customers, they have now fixed this vulnerability, and there is no evidence that this vulnerability has been utilized. The company wrote: “There is no indication that external entities other than researchers (WIZ) can access primary read and write keys.”
Lugarvak said: “This is the worst cloud computing service vulnerability you can imagine. This is a long-term secret. This is azure’s central database, we can get any customer database we want. access permission.”
Lugarvak revealed that his team discovered this vulnerability named ChaosDB on August 9, and reported this question to Microsoft on August 12.
A few months ago, Microsoft has just encountered a security-related bad news. The company is suspected to be invaded by Russian hackers, and they steal some of Microsoft’s source code. Not long ago, Microsoft also repaired a problem that allowed the computer to be taken over by the printer. Last week, an email defect in Exchange triggered an urgent warning of the US government. The customer needs to be installed a few months ago, because the Lesso Software Gang is now using this defect.