MSFT Plugs Office 365 Vulnerability But Trust May be Leaking

Microsoft has closed-off a cross-site scripting (XSS) vulnerability in Office 365. The vulnerability, if exploited, could have enabled anyone with a mailbox in an enterprise using Office 365 to obtain administrative permission over the entire company’s Office 365 environment. What does that do to your level of trust in the product?

Office 365 Vulnerability

The problem — identified in October and closed just in late December — has only come to light recently. It was identified by Alan Byrne, co-founder of internet security firm Cogmotive, who noted that it could be exploited using a few lines of simple JavaScript. Byrne demonstrates on the following YouTube video:

In a blog post detailing how the script could be used, Byrne noted that this vulnerability had the potential to cause catastrophic damage in a large enterprise. He wrote:

This is a perfect example of a very simple exploit which has a huge possibility to cause billions of dollars’ worth of damage. As we move further and further into the cloud, we need to be more and more aware of the potential security risks. There are some large, high profile companies now using Microsoft Office 365 and I know that they will be very concerned to hear about these types of exploits. No one knows if someone much more malicious discovered this bug before I did and has used it for profit by extracting sensitive information."

Office 365 Vulnerability.jpg

Office 365 vulnerability

Office 365 One Year On

It is ironic that this exploit is coming to light just a week before Microsoft celebrates the first birthday of Office 365.

Office 365 was released last Jan. 29, and Microsoft is already beginning to whoop-it-up over the achievements around the product and the amount of traction it has gained in the enterprise space. Jose Waldo, senior director of Microsoft’s cloud partner strategy announced in a blog post for the Worldwide Partner Conference 2014 last week that Office 365 has been the fastest growing product in Microsoft’s history, including SharePoint.

He said that one in four of Microsoft's enterprise clients subscribes to Office 365. In addition, in the past 12 months, there has been a 150 percent increase in the number of small-to-medium (SMB) enterprises that have signed up.

As an aside, he also said Microsoft is adding 1,000 customers per day to Azure, which currently has 250,000 users, and sold 100 million licenses of Windows 8 already, certifying 3,400 devices.

These are Microsoft’s own figures, and there is no real way of confirming them independently. Even so, anecdotal evidence from enterprise and small businesses suggests Office 365 has gained considerable traction since its launch.

It must be embarrassing then for Microsoft to be forced to fix a bug for its birthday. In fairness, though, it responded to Byrne’s reports about the bug immediately and sealed it before there was too much damage — or at least damage that was reported, as it is unlikely that a company that has been targeted is going to publicize it.

Byrne, in fact, points out that Microsoft was exemplary in its response to the vulnerability. That's not always the case  when Byrne alerts companies to probable bugs: 

Microsoft, to its credit, did a very good job by quickly fixing this issue and communicated effectively with me during the entire process. I’ve heard many horror stories from people who have reported bugs to other companies and got no-where, leaving them with little choice but to publicly disclose the issue before it was fixed."

Applications and Trust

This underlines a problem that we reported on last week when research from Cisco pointed out that many systems users are placing too much trust in the infallibility of their software and devices. If, as Byrne states here, many companies fail to respond to reports of problems with their software, then the case as Cisco put it becomes even stronger.

The implication is that all users of all software should be a little bit careful with the software and devices they are using as it is possible or even probable that there have vulnerabilities just waiting to be exploited.

Again, it is worth remembering the case of Adobe last year and the problems caused when hackers successfully targeted its servers and took the information about millions of customers, including debit and credit card details.

More recently in December, Trustwave revealed that more than 2 million passwords for social media sites including Facebook and Twitter, as well as passwords for Yahoo and Google, have been hacked and posted online.

In light of this never-ending list of attacks, perhaps enterprises should take threats a little more seriously, even though, in the case of Office 365, Byrne noted that he would still recommend it  to customers. The same cannot be said for companies that fail to respond to identified threats.

Title image by junrong (Shutterstock).