A vulnerability in Microsoft Inc.’s cloud database system left data at thousands of clients exposed to potential cyberattacks for about two years, according to the Israeli cybersecurity firm that discovered the bug.
More than 3,300 of the software giant’s customers were exposed to a flaw in its Azure Cosmos DB database product that could have granted a malicious actor access keys to steal, edit or delete sensitive data, according to researchers at the Tel Aviv-based Wiz.io. Wiz’s co-founder and Chief Technology Officer Ami Luttwak says his team of researchers discovered the vulnerability on August 9 while managing security for some of its own Fortune 500 clients.
Microsoft issued a statement: “Our investigation indicates no customer data was accessed because of this vulnerability by third parties or security researchers. We’ve notified the customers whose keys may have been affected during the researcher activity to regenerate their keys.”
Reuters reported earlier that Microsoft had warned thousands of its Azure customers about the security flaw. In an email to clients that was reviewed by Bloomberg News, the software firm asked network administrators to take four steps to protect their Cosmos databases, including generating new digital keys used to securely
access those systems.
Microsoft said they had fixed the vulnerability. “There is no evidence of this technique being exploited by malicious actors,” the company said in an emailed statement. “We are not aware of any customer data being accessed because of this vulnerability.”
The Wiz researchers found that the vulnerability existed since mid-2019, when Microsoft added a new feature to Cosmos DB called Jupyter Notebooks. The add-on allows database managers to insert lines of code so they can visualise and interact with their data. The feature had to be toggled on by users until February 2021, when Microsoft activated Jupyter Notebooks by default.
“If I’m a customer using the cloud database, my biggest fear is someone accessing my data without me knowing,” said Wiz’s Luttwak. “And that’s what this vulnerability would have done, if not corrected.”
Cosmos DB counts companies including Exxon Mobil Corp, Coca-Cola Co and Citrix Systems Inc as clients, according to Microsoft’s website for the service. In a customer testimonial on the site, the Walgreens pharmacy chain says it processes more than 6 million prescriptions a day and the company uses Azure Cosmos DB to run “microservices that its prescription transactions rely on.”
Microsoft hires veteran Amazon cloud executive
Microsoft Corp is hiring former Amazon.com Inc. cloud executive Charlie Bell, according to a person familiar with the matter.
It’s not yet clear when Bell will join or what his exact role at Microsoft will be, said the person, who requested anonymity to discuss an appointment that isn’t yet public. Bell’s hiring comes as Microsoft’s Azure cloud division has been closing the gap with market leader Amazon Web Services.
At Amazon, Bell was a senior vice president, who long reported to former AWS Chief Andy Jassy and oversaw the engineering teams working on AWS’s main software services.
Bell has worked on software for Nasa’s space shuttle program early in his career, joining Amazon in 1998 when the company acquired his e-commerce software startup.
AWS has twice as much market share as Microsoft’s Azure, and both companies are looking to fend off
inroads from Google.
A Microsoft spokesperson declined to confirm the hiring. Bell and Amazon didn’t immediately return requests for comment.
Bell is the latest in a string of departures amid a senior management shift that saw Jeff Bezos cede the CEO role to Jassy and Adam Selipsky take over as AWS chief.
Selipsky announced Bell’s departure earlier this month. Any non-compete agreement Bell signed with Amazon may prevent him from working on similar things at Microsoft; Amazon has long sought to enforce those agreements vigorously.