Snynet Solution Logo
MON - SUN: 10 AM - 6 PM
+60 11 5624 8319

Blog

Microsoft says Azure users will have to patch these worrying security flaws themselves

Image Description

Microsoft’s latest guidelines regarding the recently disclosed OMI vulnerabilities has put the onus on users to patch many of the affected Azure services.

The September Patch Tuesday bundle shipped with fixes for four zero-day vulnerabilities in the open source software agent named Open Management Infrastructure (OMI), which is automatically deployed inside Linux virtual machines (VM) when users enable certain Azure services.

However, instead of patching all affected Azure services, Microsoft has put an advisory stating that while it’ll update six of them, seven others must be updated by users themselves.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window

“Customers must update vulnerable extensions for their Cloud and On-Premises deployments as the updates become available per schedule outlined in table below...For cloud deployments with auto update turned on, Microsoft will actively deploy the updates to extensions across Azure regions as per the schedule in the table below,” reads the advisory. 

High and dry

The Register points out that Microsoft’s handling of the situation hasn’t gone down well with security researchers.

“They’ve also failed to update their own systems in Azure to install the patched version on new VM deployments. It’s honestly jaw dropping,” tweeted security researcher Kevin Beaumont.

Since Microsoft has left it upon users to patch the impacted services, it didn’t take researchers long to discover vulnerable instances.

“There are 56 known exposed services worldwide that are likely vulnerable to this issue, including a major health organization and two major entertainment companies,” wrote security vendor Censys after performing an impact assessment. 

While the number seems small, Censys reasons it’s probably because of how the OMI service responds to such scans, or perhaps because exposing OMI to the internet likely requires deliberate effort.

In any case, since exploiting the vulnerability is a “laughably easy trick” according to Sophos, security researchers strongly urge users to patch any vulnerable OMI-using services in their Azure deployments without delay.

Via The Register

Date

17 Sep 2021

Sources


Share


Other Blog

  • PC gamers invited to build the world's largest supercomputer

    Salad wants gamers to lend their idle gaming rigs to solve computational-intensive problems.

    Read More
  • WhatsApp is getting a crafty new way to verify your identity

    WhatsApp is developing a new feature that will make logging into the service simpler on Android.

    Read More
  • CNA Financial pays out one of the biggest ransomware payments ever

    CNA reportedly paid $40 million after failing to regain control over its networks for two weeks.

    Read More
  • Indian news websites, OTT platforms now under I&B purview-Will it lead to censorship?

    Indian government has issued an order to bring online news platforms and OTT streaming platforms like Netflix, Amazon Prime under the Ministry of Information and Broadcasting. What are its implications? Read on.

    Read More

Find Out More About Us

Want to hire best people for your project? Look no further you came to the right place!

Contact Us