Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Microsoft Plugs Gaping Hole in Azure Kubernetes Service Confidential Containers

Patch Tuesday: Microsoft warns that unauthenticated hackers can take complete control of Azure Kubernetes clusters.

Software giant Microsoft on Tuesday released a massive batch of security patches with cover for at least 150 vulnerabilities and called urgent attention to a gaping hole that lets inauthentic hackers take full control of Azure Kubernetes clusters.

The vulnerability, tracked as CVE-2024-29990, allows an unauthenticated hacker to steal credentials and affects resources beyond the security scope managed by Azure Kubernetes Service Confidential Containers (AKSCC), Redmond said in an advisory.

Redmond’s security response team said the Azure Kubernetes Service bug carries a CVSS severity score of 9/10 and could be exploited to take over confidential guests and containers beyond the network stack it might be bound to.

“An unauthenticated attacker can move the same workload onto a machine they control, where the attacker is root,” Microsoft warned.

The Azure Kubernetes Service bug headlines a massive patch bundle that includes fixes for a trio of remote code execution bugs in Microsoft Defender for IOT and a critical-severity Windows Secure Boot bypass that’s marked as already exploited.

The embattled company documented dozens of remote code execution issues affecting Windows OS and software components, the Microsoft Office productivity suite, Microsoft SQL Server, DNS Server, Visual Studio and Bitlocker.

According to ZDI, a company that tracks the release of software patches, this is the largest release from Microsoft since at least 2017 and does not include fixes for bugs exploited at this year’s Pwn2Own hacker contest.

Microsoft is facing intense criticism for its security practices with a recent US government report documenting shoddy cybersecurity practices, lax corporate culture and untruthfulness in public communications.

Advertisement. Scroll to continue reading.

In its review of the Microsoft Exchange Online hack, the government’s Cyber Safety Review Board (CSRB) called out “a cascade of Microsoft’s avoidable errors” that allowed Chinese hackers to break into its cloud service and steal sensitive data.

The CSRB, which styles itself as an independent investigative agency similar to the NTSB, said it found “a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.”

Related: Microsoft’s Security Chickens Have Come Home to Roost

Related: US Gov Rips Microsoft for Shoddy Security, Poor Response to Chinese Hack

Related: Patch Tuesday: Code Execution Flaws in Multiple Adobe Software Products 

Related: Microsoft Cloud Hack Exposed More Than Exchange, Outlook Emails

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights