Microsoft Azure Security Flaws Found, Now Fixed: Check Point

As Microsoft CEO Satya Nadella emphasised on keeping Azure Cloud secure with integrated end-to-end identity, security and compliance solutions, cybersecurity firm Check Point on Thursday revealed that it identified two major security flaws in Microsoft Azure last year which have now been fixed.

The researchers at Israel-based Check Point discovered that a user on the Azure network could have potentially taken control over the entire server, opening a path to business code theft and manipulation.

The first security flaw was found in Azure Stack and the second security flaw was found in Azure App Service.

"The Azure Stack Flaw would have enabled a hacker to gain screenshots and sensitive information of machines running on Azure. The Azure App Flaw would have enabled a hacker to take control over the entire Azure server, and consequently take control over an enterprises' business code," the firm said in a statement.

Check Point said it worked closely with Microsoft to solve these issues, making the cloud more secure.

The first security flaw was disclosed by Check Point on January 19 last year while the second security flaw was disclosed on June 27. Full patches for both security flaws in Azure were issued to the public by the end of 2019.

In the Azure Stack flaw, Check Point researchers were able to take screenshots and lift sensitive information of Azure tenants and infrastructure machines.

"This security flaw would enable a hacker to get sensitive information of any business that has its machine running on Azure," the researchers said.

In the Azure App flaw, an attacker could take control over server and business code.

Researchers at Check Point were able to prove that a hacker could compromise tenant applications, data, and accounts by creating a free user in Azure Cloud and running malicious Azure functions.

"The end result would be that a hacker could potentially take control over the entire Azure server, and consequently take control over all your business code," the Check Point report said.

The disclosure came as Nadella, during an earnings call on Wednesday, said that now to security, cybercrime will cost businesses, governments and individuals $1 trillion this year.

"We are the only company that offers integrated end-to-end identity, security and compliance solutions to protect people and organisations, spanning identity management, devices, cloud apps, data and infrastructure," Nadella emphasised.

He said that Azure is the only Cloud that offers consistency across operating models, development environments, and infrastructure stack, enabling customers to bring cloud compute and intelligence to any connected or disconnected environment.

"Azure Stack Edge brings rapid Machine Learning inferencing closer to where data is generated and the new ruggedized Azure Stack form factors provide cloud capabilities in even the harshest of conditions like disaster response," he explained.

"Our differentiated approach across the cloud and edge is winning customers. The US Department of Defense chose Azure to support our men and women in uniform at home, abroad, and at their tactical edge," Nadella asserted.

There will be 175 zettabytes of data by 2025, up from 40 zettabytes today.

"Processing this data in real-time will be an operational imperative for every organization. Azure Synapse is our limitless analytics service. It brings together big data analytics and data warehousing with unmatched performance, scale and security," the Microsoft CEO said.