Microsoft says Azure users will have to patch these worrying security flaws themselves

Security researchers aren’t impressed by Microsoft’s high-handedness

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Microsoft’s latest guidelines regarding the recently disclosedOMI vulnerabilitieshas put the onus on users to patch many of the affectedAzureservices.

TheSeptember Patch Tuesdaybundle shipped with fixes for four zero-day vulnerabilities in theopen sourcesoftware agent named Open Management Infrastructure (OMI), which is automatically deployed insideLinuxvirtual machines (VM) when users enable certain Azure services.

However, instead of patching all affected Azure services, Microsoft hasput an advisorystating that while it’ll update six of them, seven others must be updated by users themselves.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

“Customers must update vulnerable extensions for their Cloud and On-Premises deployments as the updates become available per schedule outlined in table below…For cloud deployments with auto update turned on, Microsoft will actively deploy the updates to extensions across Azure regions as per the schedule in the table below,” reads the advisory.

High and dry

The Registerpoints out that Microsoft’s handling of the situation hasn’t gone down well with security researchers.

“They’ve also failed to update their own systems in Azure to install the patched version on new VM deployments. It’s honestly jaw dropping,”tweetedsecurity researcher Kevin Beaumont.

Since Microsoft has left it upon users to patch the impacted services, it didn’t take researchers long to discover vulnerable instances.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“There are 56 known exposed services worldwide that are likely vulnerable to this issue, including a major health organization and two major entertainment companies,”wrotesecurity vendor Censys after performing an impact assessment.

While the number seems small, Censys reasons it’s probably because of how the OMI service responds to such scans, or perhaps because exposing OMI to the internet likely requires deliberate effort.

In any case, since exploiting the vulnerability is a “laughably easy trick” according to Sophos, security researchers strongly urge users to patch any vulnerable OMI-using services in their Azure deployments without delay.

ViaThe Register

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

7 myths about email security everyone should stop believing

Google TV will require more RAM for future upgrades – which might leave older TVs and streaming boxes behind