Cloud Service Flaws on Mend

Tuesday, April 17, 2012 @ 05:04 PM gHale

A persistent script code inject vulnerability is hampering the Microsoft Partner Network Cloud service.

The hole ended up discovered by researchers from Vulnerability Lab who are helping Microsoft patch up some serious vulnerabilities that affected two of their services.

RELATED STORIES
Cloud Coverage by Invensys
Cloudy Days Ahead
Azure Cloud Suffers Outage
FBI Pushes Cloud Security Rules
Enhanced Security for Cloud Computing

To demonstrate their findings, the researchers made a video proof-of-concept in which the Lab’s Chief Executive, Benjamin Kunz Mejri, shows how easy it is for an attacker to leverage the persistent script code injection flaws on a Microsoft Cloud aspx service to execute his own malicious code.

“The vulnerability allows a remote attacker or local low privileged user account to inject/implement malicious persistent script code (Application-Side). Successful exploitation with low required user inter action can result in session hijacking against admin, moderator and customer sessions or allows an attacker to manipulate requests via persistent script code inject,” the experts said.

After collaborating with the Microsoft Security Response Center (MSRC) team and after ensuring they addressed the issues, Vulnerability Lab made available the video and a proof-of-concept in text format that can offer some details.

The Microsoft Partner Network Cloud service wasn’t the only one found to have flaws. Microsofts Afkar, the site that allows Arabic users worldwide to play with new tools and ideas, contained a cross-site scripting (XSS) weakness that could have allowed a remote attacker to hijack user sessions and manipulate context.

In the past month, the Vulnerability Lab team has been very busy helping high-profile companies fix the bugs that exposed their websites and services to malicious operations.

First, they helped Microsoft address a flash component vulnerability that affected the Bing Service Application. Then, Shadab Siddiqui notified Apple on some dangerous SQL Injection vulnerabilities present in the Education Seminars & Events site.

Oracle’s security team also welcomed the feedback from the experts in handling multiple blind SQL Injection security holes that existed on sites such as campus.oracle.com, education.oracle.com, academy.oracle.com, and shop.oracle.com.