Microsoft Fixes Vulnerability That Compromised Bing and Office 365

Microsoft admitted today that it patched a serious security misconfiguration in its Azure cloud service that compromised Bing and Office 365 after it was alerted by security researchers at Wiz. The problem was fixed two months ago, on February 2, and just five days before Microsoft surprised the world with its AI-based Bing chatbot.

“Wiz Research found a common misconfiguration in Azure Active Directory that compromised multiple Microsoft applications, including a Bing management portal,” a Wiz blog post explains. ” We found several high-impact, vulnerable Microsoft applications. One of these apps is a content management system (CMS) that powers Bing.com and allowed us to not only modify search results, but also launch high-impact [cross-site scripting] attacks on Bing users. Those attacks could compromise users’ personal data, including Outlook emails and SharePoint documents.”

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

“We appreciate the collaboration with Wiz, which helped us mitigate a potential risk and further harden our services and thank them for working with us to protect the ecosystem,” a Microsoft statement notes. Wiz responsibly disclosed its findings to Microsoft before going public, allowing it to fix the issues.

Separately, the software giant said that the misconfiguration impacted only “a small number” of its internal applications and that it ” immediately corrected the misconfiguration.” Microsoft also added additional authorization checks to address the issue, confirmed that no unintended access had occurred, and confirmed that all the actions outlined by the Wiz researchers are no longer possible because of these fixes. Additionally, Microsoft made other unidentified changes to reduce the risk of future misconfigurations.

Wiz confirmed that Microsoft’s fixes were effective and said that there was no evidence that hackers had ever exploited the misconfiguration. But it could have been left open and exploitable for years.

Tagged with

Share post

Please check our Community Guidelines before commenting

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC