The company says a flaw could have allowed hackers access to their customers’ data. Microsoft fixed a critical vulnerability in its Azure Container Instances.
Microsoft warned some of its Azure cloud computing customers that a flaw discovered by security researchers could have allowed hackers access to their data. Reuters reports that Microsoft’s security response team said it had fixed the flaw reported by Palo Alto Networks. It also claimed it had no evidence malicious hackers had abused the technique.
The blog post from the Microsoft Security Response Center (MSRC) came in response to questions from Reuters, they say. Microsoft did not answer any of the questions, however. Nor did they say whether they were confident that no one had accessed any data.
Acting “out of an abundance of caution”
“Which Azure Container Instances accounts were potentially affected?” This is the question that Microsoft poses to itself in the blog post. The answer from the MSRC is decidedly equivocal. “There is no indication any customer data was accessed due to this vulnerability,” they write.
“Out of an abundance of caution, notifications were sent to customers potentially affected by the researcher activities, advising they revoke any privileged credential that were deployed to the platform before August 31, 2021.”
In an earlier interview, Palo Alto researcher Ariel Zelivansky told Reuters his team had been able to break out of Azure’s widely used system for so-called containers that store programs for users. The Azure containers used code that had not been updated to patch a known vulnerability, he said.
As a result the Palo Alto team was able to eventually get full control of a cluster that included containers from other users.
This report is the second major flaw stemming from Microsoft’s core Azure system in as many weeks. In late August, security experts at Wiz described a database flaw that also would have allowed one customer to alter another’s data.
Reuters observes that in both cases, Microsoft’s acknowledgment focused on those customers who might have been somehow affected by the researchers themselves. They did this rather than address everyone put at risk by its own code.