Skip to main content

Microsoft patches serious security flaws in Azure

Google cloud services
(Image credit: Shutterstock)
Audio player loading…

Security researchers at Check Point have identified two major security flaws in Microsoft Azure (opens in new tab) that could be exploited by hackers to gain access to sensitive information stored on machines running Azure or to take over Azure servers.

The first security flaw was discovered in Azure Stack and if exploited, it would enable a hacker to gain access to screenshots and other sensitive information from machines running Azure.

Azure stack is a cloud computing software solution that was developed by Microsoft to allow enterprises to deliver Azure services from their own data centers. The software giant created Azure Stack as a means of helping organizations embrace hybrid cloud computing on their own terms while still being able to address business and technical considerations.

Researchers at Check Point were able to take screenshots and collect sensitive information of Azure tenants and infrastructure machines by exploiting the flaw. However, in order for a hacker to take advantage of the flaw, they would first need to gain access to the Azure Stack Portal which would enable them to send unauthenticated HTTP requests.

Azure App flaw

The Azure App flaw discovered by Check Point (opens in new tab) would have enabled a hacker to take control over an entire Azure server and consequentially an enterprise's business code.

Azure App Service is a fully managed Platform as a Service (PaaS (opens in new tab)) that integrates Microsoft Azure websites and other services into a single service while also adding new capabilities that enable integration with on-premises or cloud systems.

Check Point's researchers were able to prove that a hacker could compromise tenant applications, data and accounts by creating a free user in Azure Cloud and running malicious Azure functions.

The security company disclosed the flaws to Microsoft and together the two worked closely to fix the issues. Full patches for both security flaws were released at the end of last year to prevent them from being exploited by hackers.

Via Gizbot (opens in new tab)

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.