Network Computing Dark Reading

Advertise

Cloud

12/2/2019
03:30 PM

Dark Reading Staff
Quick Hits

0 comments
Comment Now

50%

Microsoft Fixes Flaw Threatening Azure Accounts

Researchers detail a bug they found in some of Microsoft's OAuth 2.0 applications.

Researchers from CyberArk today outlined a vulnerability they discovered this fall in some Microsoft OAuth 2.0 applications that could allow an attacker to hijack Azure accounts. Microsoft fixed the flaw late last month.

The weaknesses lie in OAuth settings in Microsoft's Portfolios, O365 Secure Score, and Microsoft Service Trust applications, and could be abused by an attacker to grab admin accounts and basically "own" Azure accounts. OAuth is a popular authorization protocol that allows users to share information about their accounts among third-party applications and websites.

"The OAuth applications trust domains and sub-domains are not registered by Microsoft, so they can be registered by anyone (including an attacker). These apps are approved by default and are allowed to ask for 'access_token,'" CyberArk said in a blog post about the vuln. "The combination of these two factors makes it possible to produce an action with the user's permissions – including gaining access to Azure resources, AD resources and more."

Read more here.

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "A Cause You Care About Needs Your Cybersecurity Help."

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment |

Email This |

Print |

RSS

More Insights

Webcasts

Shaking Off Security Alert Fatigue: Tips for Taking Control

5 Steps to Integrate SAST into the DevSecOps Pipeline

More Webcasts

White Papers

IT Careers: Tech Drives Constant Change

Research Report: Rethinking Security for Digital Transformation

More White Papers

Reports

Assessing Cybersecurity Risk in Today's Enterprise

2019 Threat Hunting Report

More Reports

Comments

Newest First | Oldest First | Threaded View

[close this box]

Be the first to post a comment regarding this story.

Hot Topics

Editors' Choice

Exploitation, Phishing Top Worries for Mobile Users

Robert Lemos, Contributing Writer, 2/28/2020

5 Ways to Up Your Threat Management Game

Wayne Reynolds, Advisory CISO, Kudelski Security, 2/26/2020

Kr00k Wi-Fi Vulnerability Affected a Billion Devices

Robert Lemos, Contributing Writer, 2/26/2020

Live Events

Webinars

March 16-19, 2020: Data Center World Registration is open! Join Us

Data Center World: The leading conference & expo for Data Center and IT Infrastructure Professionals. Register Today!

Get Insights: Cisco vs Microsoft & More at EC20 Orlando

More Informa Tech Live Events

White Papers

IT Careers: Tech Drives Constant Change

Data Protection: Verify Anything and Everything

Research Report: Rethinking Security for Digital Transformation

Guide to Building Your Vendor Risk Management Program

The Essential Guide to Security

More White Papers

Video

All Videos

Cartoon

Latest Comment: "All this awareness would make us liable. Without them its ignorance, if we hire them it becomes negligence and i prefer ignorance. What you don't ...

Cartoon Archive

Current Issue

6 Emerging Cyber Threats That Enterprises Face in 2020

This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!

Download This Issue!

Back Issues | Must Reads

Flash Poll

All Polls

Reports

State of Cybersecurity Incident Response

Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.

Download Now!

How Enterprises Are Developing and Maintaining Secure Applications

0 comments

How Enterprises are Attacking the Cybersecurity Problem

0 comments

How Data Breaches affect the Enterprise

0 comments

More Reports

Twitter Feed

Tweets about "from:DarkReading OR @DarkReading"

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2020-10018
PUBLISHED: 2020-03-02

accessibility/AXObjectCache.cpp in WebKit, as used in WebKitGTK through 2.26.4 and WPE WebKit through 2.26.4, allows a denial of service (application crash) because maintenance of the m_deferredFocusedNodeChange data structure mishandles removal.

CVE-2018-20347
PUBLISHED: 2020-03-02

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.

CVE-2018-5951
PUBLISHED: 2020-03-02

An issue was discovered in Mikrotik RouterOS. Crafting a packet that has a size of 1 byte and sending it to an IPv6 address of a RouterOS box with IP Protocol 97 will cause RouterOS to reboot imminently. All versions of RouterOS that supports EoIPv6 are vulnerable to this attack.

CVE-2019-14893
PUBLISHED: 2020-03-02

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @Js...

CVE-2018-19798
PUBLISHED: 2020-03-02

Fleetco Fleet Maintenance Management (FMM) 1.2 and earlier allows uploading an arbitrary ".php" file with the application/x-php Content-Type to the accidents_add.php?submit=1 URI, as demonstrated by the value_Images_1 field, which leads to remote command execution on the remote server. Any...

To save this item to your list of favorite Dark Reading content so you can find it later in your Profile page, click the "Save It" button next to the item.

If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This
[close this box]