back to article Flaws punched holes in Azure cloud, Apple patches pretty much everything, Eurocops cuff Maltese hackers, etc

It has been a busy week in infosec, though here's a few more security news bites to mull over. Storm clouds approaching Azure The bug-hunters at Checkpoint have laid claim to the discovery and reporting of two serious, and now patched, security flaws in Microsoft Azure. According to Checkpoint, the vulnerabilities would have …

  1. RobinCM

    Not "Microsoft Azure"

    The vulnerabilities were found in Azure Stack, which is an on-premise environment that gives you some of the functionality and look and feel of the full-blown Azure cloud. As the Checkpoint article states, and as I know from experience, Azure Stack is somewhat behind Azure in terms of features and versions. For example, you can do nested VMs in Azure, but not on Azure Stack. (One example of many!)

    Reg should really correct their headline, because unless the same vulnerabilities existed in full Azure, it is currently wrong.

    1. richardcox13

      Re: Not "Microsoft Azure"

      Read the Checkpoint articles more carefully. Part 2 (the App Services vulnerability) did affect Azure Cloud.

  2. Blade918rr

    What was the point of this post? A vulnerability was found and patched before public disclosure, A daily process for all platforms!

    1. mj.jam

      Just because it wasn't publicly disclosed ...

      doesn't mean others didn't know about it, nor were using this for their own purposes.

      It is ideal for things to be patched before disclosing them, since that allows the fix to be put in place before people start the mass exploitation that happens.

    2. Pascal Monett Silver badge

      Re: What was the point

      Information ? Alerting users to a possible issue and encouraging them to patch ?

      Do you really want patches to go unannounced ?

      Users have enough trouble as is keeping their shit together; if you don't blare the horn about it they'll just go on sleeping and nothing will ever get patched.

      1. HildyJ Silver badge
        Pint

        Re: What was the point

        Too many users can't be bothered to patch their kit. It interferes with their afternoon nap.

        I welcome El Reg's summary posts to see anything I might have missed during my nap.

    3. A random security guy

      Very educational

      I found the Checkpoint article very well written and thought-provoking. It shows how, when you violate a basic tenet of security, you can end up compromising the security of the stack. Was auditing someone's system just last week and they had all their internal systems using HTTP. We know that perimeter security is no longer a reliable antidote to hackers.

      I sent him this article and it opened his eyes (he got bug-eyed).

      Thank you, el-reg, for bringing this article to my attention.

  3. Robert Helpmann?? Silver badge
    Coat

    Taking the World by Storm

    Bug-hunter Nitesh Surana spotted a DoD site running a vulnerable version of Jenkins along with a suspicious script.

    Was it the Leeroy version of Jenkins? If it is, I can only say WoW!

    1. A random security guy

      Re: Taking the World by Storm

      I believe that the system could be accessed without credentials (you), and then some hacker got in and set up credentials and ran cryptocurrency mining software. The hacker was protecting 'his' server.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020