Microsoft says Azure users will have to patch these worrying security flaws themselves

News
By published

Security researchers aren’t impressed by Microsoft’s high-handedness

Holographic representation of cloud computing over open businessman's hand
(Image credit: Shutterstock)

Microsoft’s latest guidelines regarding the recently disclosed OMI vulnerabilities has put the onus on users to patch many of the affected Azure services.

The September Patch Tuesday bundle shipped with fixes for four zero-day vulnerabilities in the open source software agent named Open Management Infrastructure (OMI), which is automatically deployed inside Linux virtual machines (VM) when users enable certain Azure services.

However, instead of patching all affected Azure services, Microsoft has put an advisory stating that while it’ll update six of them, seven others must be updated by users themselves.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

“Customers must update vulnerable extensions for their Cloud and On-Premises deployments as the updates become available per schedule outlined in table below...For cloud deployments with auto update turned on, Microsoft will actively deploy the updates to extensions across Azure regions as per the schedule in the table below,” reads the advisory. 

High and dry

The Register points out that Microsoft’s handling of the situation hasn’t gone down well with security researchers.

“They’ve also failed to update their own systems in Azure to install the patched version on new VM deployments. It’s honestly jaw dropping,” tweeted security researcher Kevin Beaumont.

Since Microsoft has left it upon users to patch the impacted services, it didn’t take researchers long to discover vulnerable instances.

“There are 56 known exposed services worldwide that are likely vulnerable to this issue, including a major health organization and two major entertainment companies,” wrote security vendor Censys after performing an impact assessment. 

While the number seems small, Censys reasons it’s probably because of how the OMI service responds to such scans, or perhaps because exposing OMI to the internet likely requires deliberate effort.

In any case, since exploiting the vulnerability is a “laughably easy trick” according to Sophos, security researchers strongly urge users to patch any vulnerable OMI-using services in their Azure deployments without delay.

Via The Register

TOPICS
Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Read more
Flag of the People&#039;s Republic of China overlaid with a technological network of wires and circuits.
One of the biggest flaws exploited by Salt Typhoon hackers has had a patch available for years
The best free firewall
Microsoft fixes Power Pages security flaw, tells users to be on their guard
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
A hacker wearing a hoodie sitting at a computer, his face hidden.
Microsoft patches three worrying security flaws in its latest critical update, so update now
Representational image of a cybercriminal
Microsoft just patched a host of worrying security issues, so update now
Representational image depecting cybersecurity protection
Ivanti reveals major security update, so make sure you're protected
Latest in Pro
A person using a smartphone with a cybersecurity lock symbol appearing over it.
The growing threat of device code phishing and how to defend against It
Cybersecurity
Why OT security needs exposure management to break the cycle of endless patching
Employees sat around together discussing business issues.
AI deregulation: what smart leaders do when the rules go off the rails
Branch office chairs next to a TechRadar-branded badge that reads Big Savings.
This office chair deal wins the Amazon Spring Sale for me and it's so good I don't expect it to last
Saily eSIM by Nord Security
"Much more than just an eSIM service" - I spoke to the CEO of Saily about the future of travel and its impact on secure eSIM technology
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Latest in News
DeepSeek
Deepseek’s new AI is smarter, faster, cheaper, and a real rival to OpenAI's models
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
An aerial view of an Instavolt Superhub for charging electric vehicles
Forget gas stations – EV charging Superhubs are using solar power to solve the most annoying thing about electric motoring
More about pro
Cybersecurity

Why OT security needs exposure management to break the cycle of endless patching
Employees sat around together discussing business issues.

AI deregulation: what smart leaders do when the rules go off the rails
A person using a smartphone with a cybersecurity lock symbol appearing over it.

The growing threat of device code phishing and how to defend against It
See more latest
Most Popular
Nimo N172 laptop
This obscure laptop brand sells a 64GB AMD Ryzen 9 laptop for just over $700 which is faster than the Apple's M4 CPU
DeepSeek
Deepseek’s new AI is smarter, faster, cheaper, and a real rival to OpenAI's models
Student with headphones around her neck using a phone while sitting in a cafe in front of a laptop
One of the world's richest men criticizes the spending of billions of dollars on buying laptops for US classrooms with no apparent improvement in results
An aerial view of an Instavolt Superhub for charging electric vehicles
Forget gas stations – EV charging Superhubs are using solar power to solve the most annoying thing about electric motoring
Tesla Model Y 2025
Tesla’s EU sales are in freefall as VW races ahead, but the Model Y could change all that
Asus NUC 15 Pro+
Asus unveils its most powerful mini PC to date — but I don't think the Intel-powered NUC 15 Pro+ will compete with Strix Halo models
HDD
Seagate teams with Nvidia to build an NVMe hard drive proof of concept, more than 3 years after its last effort
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event