It’s been a busy couple weeks for Microsoft—and not in a good way. Following the news that a configuration error left Azure cloud customer data exposed to potential compromise, and a security alert from Microsoft about an active exploit targeting a zero-day vulnerability in MSHTML, now there are reports of a critical security vulnerability that can allow attackers to compromise containers in Azure as well.
Cloud security is built on a shared responsibility model. Essentially, customers are responsible for securing and protecting anything they run or store in the cloud environment, but the cloud provider is responsible for securing and protecting the infrastructure and services they provide. Microsoft is not holding up its end of the bargain in this case.
Researchers discovered an issue with Microsoft’s containers-as-a-service offering, Azure Container Instances (ACI). The ACI hosting infrastructure is built on Kubernetes clusters, which can be compromised to allow an attacker to gain full control over other containers.
Azurescape—the name given to the vulnerability by the researchers—can enable a malicious attacker to execute code on other users’ containers or intercept and steal sensitive data. The flaw could also be used to leverage the ACI infrastructure to hijack other users’ containers for cryptomining.
Microsoft has released a patch to address the issue with ACI. It is still recommended that customers revoke any privileged credentials deployed before August 31, and review access logs for suspicious activity.
One of the biggest problems with Microsoft offering both the vulnerable software and the security solutions to protect it is that data and information about hacks or potential attacks will flow back to them—and they would have little incentive to share the information.
Microsoft has been down this road before, and they know this type of monoculture doesn’t end well. Microsoft came late to the web browser party and abused its market dominance to claim a virtual monopoly of the browser market. It took many years and an antitrust lawsuit to dethrone them and for real competition to emerge once again.
Fast forward a decade or so, and it turns out that the competing browsers were so much better that Microsoft retired the Internet Explorer browser and rebuilt their Microsoft Edge browser using the core engine of their primary competitor.
It’s not that big a deal if your browser experience is less than ideal, but it can be catastrophic if we allow this same scenario to play out with cybersecurity.
This is just the latest in a long string of events underscoring why you should not rely on Microsoft for security. French economist Frédéric Bastiat argued in the Parable of the Broken Window, that it is equivalent to theft for someone to simultaneously be in the business of both breaking and fixing windows. That is essentially what Microsoft is doing. They are selling “broken windows,” and charging for the repairs by also offering to sell you the security tools to mitigate the risk they introduced.
If you search Google for the terms “Microsoft” and “vulnerability,” you’ll find many different critical ones from just the last few months. At the same time, Microsoft continues to shift gears to push their security stack more aggressively against well-established EDR and XDR players like Cybereason and CrowdStrike.
It borders on unethical. Microsoft leverages their dominant market position and pushes their security products basically for free. Microsoft is investing time and resources taking a larger share of the security market, but they are offering an inferior product at a great discount. It’s primarily about customer lock-in. As the saying goes, “If you are not paying for the product, you are the product.”
We don’t have a team building operating systems, or cloud platforms, or email servers. We have teams dedicated to ensuring our customers’ security. We live through every incident with our customers. Our customers trust us knowing that our sole focus is entirely invested in them and their security.
Microsoft needs to focus on developing more secure code, and proactively finding and fixing vulnerabilities in their own products and platforms.
Leave cybersecurity to the experts. We are the best because we have to be. Because we owe it to our customers. Because we are laser focused on security.