The Cybersecurity and bug hunting team from the Italian firm Swascan has uncovered 5 vulnerabilities related to the servers of Microsoft’s IT infrastructure.
Microsoft is the well-known American multinational technology company. Its best-known software products are the Microsoft Windows line of operating systems and the Microsoft Office suite. On top of that the Seattle based company sells consumer electronics, ranging from smartphones to personal computers, and is one of the biggest cloud providers in the world.
Swascan is the Italian Cyber Security company founded by Raoul Chiesa and Pierguido Iezzi. Swascan is the first cloud-based Cybersecurity Testing platform which allows to identify, analyze and solve the vulnerabilities of websites and information infrastructure alike (you can start your free trial here).
Just a few weeks ago Swascan identified 5 vulnerabilities related to Microsoft’s server infrastructure.
Those 5 vulnerabilities were distributed as follows:
High 3;
Medium 1;
Low 1;
If exploited, these weaknesses could have easily impacted the system’s integrity, availability and confidentiality. Immediately after finding out this crucial information Swascan contacted Microsoft’s security staff.
Microsoft Vulnerabilities
The identified weaknesses concerned:
- CWE – 119: The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. Certain languages allow direct addressing of memory allocations and do not automatically ensure that these locations are valid for the memory buffer that is being referenced. This can cause read or write operations to be performed on memory allocations that may be associated with other variables, data structures, or internal program data. As a result, an attacker may be able to execute arbitrary code, alter the intended control flow, read sensitive information, or cause the system to crash.
- CWE-94: The software constructs all or part of a code segment using externally-influenced inputs from an upstream component, but it does not neutralize – or does so incorrectly – special elements that could modify the syntax or behavior of the intended code segment. When the software allows a user’s input to contain code syntax, it might be possible for an attacker to craft the code in such a way that it will alter the intended control flow of the software. Such an alteration could lead to arbitrary code execution. Injection problems encompass a wide variety of issues – all mitigated in very different ways. For this reason, the most effective way to discuss these weaknesses is to note the distinct features which classify them as injection weaknesses. The most important issue to note is that all injection problems share one thing in common – i.e., they allow for the injection of control plane data into the user-controlled data plane. This means that the execution of the process may be altered by sending code in through legitimate data channels, using no other mechanism. While buffer overflows, and many other flaws, involve the use of some further issue to gain execution, injection problems need only for the data to be parsed. The most classic instantiations of this category of weakness are SQL injection based attacks and format string vulnerabilities.
- CWE-200: An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.
The information either:
- is regarded as sensitive within the product’s own functionality, such as a private message;
- or provides data about the product or its environment that could be useful in an attack but is normally not available to the attacker, such as the installation path of a product that is remotely accessible.
Swascan and Microsoft
In line with the spirit and objective of Swascan, this article is not intended to discuss or detect identified vulnerabilities. However, the purpose of this article is to underline the importance of a real cooperation between software vendors and Cybersecurity companies. Microsoft’s focus on our findings, along with email exchanges and evaluations were among the most serious, professional and transparent collaborations that we have been able to achieve in our careers. For these reasons, the Swascan team would like to congratulate the security experts, reverse engineers and programmers working with Microsoft. This case perfectly reflected the need for collaboration between IT security companies (Swascan) and vendors (Microsoft’s team).
“CERTs, Security Response Center and PSIRTs, play a key role in the security ecosystem in the digital world in which we live nowadays. Our hope is to find more and more prepared teams, just like the Microsoft Security Response Center’s team, which has shown exemplary behavior and high consideration and care for its customers” said the co-founder of Swascan Pierguido Iezzi.
Pierguido Iezzi, Swascan co-founder, CyberSecurity Director
Raoul “Nobody” Chiesa Swascan co-founder, InfoSec addicted