Microsoft Plugs Gaping Hole in Azure Kubernetes Service Confidential Containers

Microsoft Plugs Gaping Hole in Azure Kubernetes Service Confidential Containers

April 9, 2024 at 02:54PM

Microsoft released a significant security patch addressing at least 150 vulnerabilities, including a critical flaw in Azure Kubernetes Service (CVE-2024-29990) enabling unauthenticated attackers to assume full control. This release also encompasses fixes for remote code execution issues in various Microsoft products. The move follows criticism of Microsoft’s security practices and a recent breach.

From the meeting notes, it is evident that Microsoft has released a substantial number of security patches, covering at least 150 vulnerabilities. The urgent focus was on a particular vulnerability, CVE-2024-29990, which allows unauthenticated hackers to take control of Azure Kubernetes clusters. This vulnerability has a severity score of 9/10 and can be exploited to take over confidential guests and containers beyond the network stack it is bound to.

In addition, the patch bundle includes fixes for remote code execution bugs in Microsoft Defender for IoT, critical-severity Windows Secure Boot bypasses, and multiple remote code execution issues affecting various Microsoft products such as the Windows OS, Microsoft Office suite, Microsoft SQL Server, DNS Server, Visual Studio, and Bitlocker.

Microsoft is facing criticism for its security practices, with a US government report highlighting alleged cybersecurity lapses and criticized decisions related to the Microsoft Exchange Online hack. This situation has led to intense scrutiny of Microsoft’s security posture and corporate culture in handling security risks.

It’s essential for Microsoft to address these vulnerabilities swiftly and comprehensively to maintain trust and security for its users and partners.

Full Article