Microsoft was flaming fast in fire-fighting a major Office 365 flaw

Office 365

Microsoft has been commended on the speed with which it managed to patch up a huge security flaw in Office 365.

The major vulnerability was discovered by a pair of security researchers, Ioannis Kakavas and Klemen Bratec, who reported it to Redmond on January 5. Microsoft fixed the problem the very same day, which is indeed impressive, but then a swift response was required given the gravity of the issue – and the organisations which were affected.

Redmond sealed up the vulnerability inside seven hours, and "handled the disclosure process admirably" according to Kakavas.

The hole was in the SAML (Security Assertion Markup Language) authentication system and potentially allowed a malicious party exploiting it to access the victim's Office 365 account and everything tied into it such as emails and OneDrive.

SAML shenanigans

Initially the pair believed that this issue only affected Office 365 accounts using SAML 2.0 for cross domain web single sign-on, which was a very limited number of users, but with further probing the researchers found they could crack into the account of any user that had configured their domains as federated (except those with multi-factor authentication enabled).

And those vulnerable Office 365 accounts included BT, Vodafone, British Airways, Intel, IBM, Cisco and the Daily Mail to name a few.

The researchers have only just been given clearance to publish details of the affair, and the pair received a bug bounty reward which was reportedly close to the maximum Microsoft gives out ($15,000 – which is around £10,300, or AU$19,700).

A recent report from Okta showed that Office 365 was the most-used business web app, followed by Salesforce.com, Box, Google Apps for Work, and Amazon Web Services.

Via: Betanews

TOPICS

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).