Microsoft takes just 7 hours to patch colossal Office 365 vulnerability that exposed companies' data
Companies are often criticized for the length of time it takes them to patch security problems found in software. But this week Microsoft exceled itself, taking just 7 hours to patch a serious security hole in Office 365 that made it possible to gain unrestricted access to businesses' cloud accounts.
A problem with the SAML authentication system meant that it was possible to gain access to just about any Office 365 account, including accessing connected services like Outlook, OneDrive and Skype for Business. More than this, the exploit allowed an attacker to infiltrate companies and organizations such as Verizon, Georgia State University and British Airways who use Office 365. The researchers who unearthed the issue have praised Microsoft for dealing with it so quickly.
Yiannis Kakavas and Klemen Bratec came across the problem back in December 2015, but did not report it to Microsoft until 5 January while they conducted further research. The very same day, the pair say, "Microsoft acknowledges the issue, mitigates it and rolls out an update in 7 hours (!!)".
Writing on his blog, Kakavas said:
A vulnerability in Microsoft Office 365 SAML Service Provider implementation allowed for cross domain authentication bypass affecting all federated domains. An attacker exploiting this vulnerability could gain unrestricted access to a victim's Office 365 account, including access to their email, files stored in OneDrive etc.
This vulnerability was jointly discovered by Klemen Bratec from Šola prihodnosti Maribor, and Ioannis Kakavas fromGreek Research and Technology Network and this blog post is cross-posted here and on Klemen's blog.
Microsoft fixed the vulnerability within 7 hours of our report and handled the disclosure process admirably.