A Microsoft AI research team that uploaded training data on GitHub in an effort to offer other researchers open-source code and AI models for image recognition inadvertently exposed 38TB of personal data. Wiz, a cybersecurity firm, discovered a link included in the files that contained backups of Microsoft employees' computers. Those backups contained passwords to Microsoft services, secret keys and over 30,000 internal Teams messages from hundreds of the tech giant's employees, Wiz says. Microsoft assures in its own report of the incident, however, that "no customer data was exposed, and no other internal services were put at risk." The link was deliberately included with the files so that interested researchers could download pretrained models -- that part was no accident.
Wiz Research discovered a new attack vector in Azure Active Directory that exposed misconfigured applications to unauthorized access. These misconfigurations are fairly popular, especially with Azure App Services and Azure Functions. Based on our scans, about 25% of multi-tenant applications turned out to be vulnerable. We found several high-impact, vulnerable Microsoft applications. One of these apps is a content management system (CMS) that powers Bing.com and allowed us to not only modify search results, but also launch high-impact XSS attacks on Bing users.
Microsoft has fixed a bug in the Azure Automation service that could have allowed one account owner to access another customer's accounts using the same service. Azure Automation lets customers automate cloud management tasks or jobs, update Windows and Linux systems, and automate other repetitive tasks. According to security firm Orca, the bug, which it reported to Microsoft on December 6, allowed a potential attacker on the service to "gain full control over resources and data of a targeted account, depending on the permissions of the account." SEE: What is cloud computing? Orca researcher Yanir Tsarimi says the flaw he found allowed him to interact with an internal Azure server that manages the sandboxes of other customers.
Turn on a device within Microsoft and there's a good chance that it's listed in OneAsset, Microsoft's inventory management system. Microsoft recently moved OneAsset to the cloud--a move that has dramatically improved system performance and sets the stage for future development. OneAsset is what you might call a very mission-critical app. "OneAsset is essentially the inventory system for every device that exists within Microsoft. That's every single piece of hardware from laptops to servers--all the various pieces of network, storage equipment, even virtual devices," says Pete Apple, principal service engineer in Core Services Engineering and Operations (CSEO), the engineering organization at Microsoft that builds and manages the products, processes, and services that Microsoft runs on.