back to article WTF? Microsoft makes fixing deadly OMIGOD flaws on Azure your job

Microsoft Azure users running Linux VMs in the IT giant's Azure cloud need to take action to protect themselves against the four "OMIGOD" bugs in the Open Management Infrastructure (OMI) framework, because Microsoft hasn't raced to do it for them. As The Register outlined in our report on this month's Patch Tuesday release, …

  1. Mike 137 Silver badge

    "fixing deadly OMIGOD flaws on Azure your job"

    So one of the much hyped benefits of cloud (expert security off your hands) is no longer the case. Not surprising really. What many folks don't understand is that cloud services are not hugely profitable on an individual customer basis. The value comes from volume. Consequently, any service that's used by the majority is supported strongly, but services used by only a few don't get the same attention. That's actually the same as in practically every large scale big customer base business.

    1. A random security guy Bronze badge

      Re: "fixing deadly OMIGOD flaws on Azure your job"

      And every security issue on the cloud is at once a major issue.

    2. MyffyW Silver badge

      Re: "fixing deadly OMIGOD flaws on Azure your job"

      Ah "responsibilities that remain with the customer" ... it's the Calrissian conjecture of cloud hosting.

    3. Dan 55 Silver badge

      Re: "fixing deadly OMIGOD flaws on Azure your job"

      Azure is hardly cheap though. It's as if you buy a ticket from BA and get Ryanair levels of service (which sounds about right too).

    4. Doctor Syntax Silver badge

      Re: "fixing deadly OMIGOD flaws on Azure your job"

      Was "expert security off your hands" ever anything more than hype? But as regards to the volume of usage I thought Linux was the dominant OS on Azure these days. Is it just OMI that's less frequently deployed?

      1. Remy Redert

        Re: "fixing deadly OMIGOD flaws on Azure your job"

        Yes and no. There's probably a lot of Linux hosts without OMI running, but more importantly, in its default configuration the OMI host is not exposed to the internet at large. Only to machines within the same (virtual) network.

        So for most people, this gaping hole is covered up by the fact that you can't easily get to it from the internet. It still needs patching, but it's not as absolutely disastrous as it would be if the default configuration was open to the internet.

        That of course also means it's difficult for researchers to tell just how many vulnerable installations exist. Most of those installations will be invisible to the researchers.

    5. Charlie Clark Silver badge

      Re: "fixing deadly OMIGOD flaws on Azure your job"

      AFAIK Microsoft will not be covered by the usual software exemption clause for product defects. They can write all they want to into the T&Cs but this has product liability and class action written all over it and about time to!

    6. chuBb. Silver badge

      Re: "fixing deadly OMIGOD flaws on Azure your job"

      I assumed everyone unistalled the omi shite from a vm on first boot, mainly as it seems to kill nginx performance and regularly consumes 50% cpu and spawns lots of processes

      Tbh (maybe I'm "experienced" enough now) I don't know any self respecting Linux admin who would let anything run they didn't explicitly put there.

      Then again I first discovered omi because it was breaking apt, so not surprised Ms are not pushing the fix as it will probably brick more than it secures, still yet to see what it offers over snmp

  2. A random security guy Bronze badge

    MS makes you look like a fool for their mistakes

    MS for years they have messed up and still gone laughing to the bank. They are still at it, I guess.

  3. Anonymous Coward
    Anonymous Coward

    Ernestine from Microsoft Support has responded: https://vimeo.com/355556831

  4. teebie

    Back to their old tricks

    "Oh, did you get breached, well that's because you're using linux, if you bought a licence for our servers this would never have happened."

    1. Mage Silver badge

      Re: Back to their old tricks

      t makes more sense to run a VM with Windows (when you need windows) on LOCAL HW running Linux natively.

      Windows and especially Azure is worst at Security.

      1998 and MS lies about Linux.

  5. Anonymous Coward
    Anonymous Coward

    Let's start with a fairly fundamental question here

    If you're at a minimum Linux aware, why on God's green Earth would you ever want to even go near a Microsoft product to run it on (those who have no choice due to company policy excepted, of course, I feel for you)?!?

    That's like building a bank safe out of meringue.

    1. gerdesj Silver badge
      Mushroom

      Re: Let's start with a fairly fundamental question here

      "That's like building a bank safe out of meringue."

      My efforts at meringue makes the Scone of Stone look like candyfloss ...

    2. hoola Silver badge

      Re: Let's start with a fairly fundamental question here

      Because your corporate subscription is in Azure and you have no alternative.

  6. batfastad

    H4xx

    Could M$ not just have added to their statement to ask the miscreants using/accessing all these VMs to update the agent on their way out once they are done? I mean that's not far away from the zero-fscks that M$ clearly give.

  7. naive Silver badge

    The uneasy feeling about all the MS provided (spy) stuff on their Linux Azure VM's

    unfortunately became true.

    The good version is 1.6.8.1, OMI is not part of any major distro, so has to be upgraded by hand.

    https://github.com/Microsoft/omi/releases/tag/v1.6.8-1

    Check openssl version first, to determine if the 100 or 110 version of he package is required

    Debian/Ubuntu: apt list --installed | grep -i ssl

    RedHat/centOS: yum list installed | grep -i ssl

    Debian:

    Check currently installed OMI version

    apt list --installed | grep -i omi

    Depending on the openssl version, 1.00 or 1.10 a specific package of the new omi needs to be installed.

    wget https://github.com/microsoft/omi/releases/download/v1.6.8-1/omi-1.6.8-1.ssl_110.ulinux.x64.deb

    dpkg -i omi-1.6.8-1.ssl_110.ulinux.x64.deb

    RedHat/CentOS:

    Also check here if the 100 or the 110 version is required.

    Check installed OMI version

    yum list installed | grep -i omi

    wget https://github.com/microsoft/omi/releases/download/v1.6.8-1/omi-1.6.8-1.ssl_110.ulinux.x64.rpm

    rpm -Uvh omi-1.6.8-1.ssl_100.ulinux.x64.rpm

    1. Anonymous Coward
      Anonymous Coward

      Re: The uneasy feeling about all the MS provided (spy) stuff on their Linux Azure VM's

      What does this OMI tool even do? Why bother upgrading rather than simply removing the thing?

      1. Nunyabiznes

        Re: The uneasy feeling about all the MS provided (spy) stuff on their Linux Azure VM's

        If you remove it, MS will silently re-install the compromised version instead of the patched (ie not compromised yet) version.

    2. Soruk

      Re: The uneasy feeling about all the MS provided (spy) stuff on their Linux Azure VM's

      That's a bit mad, they managed to create a yum repo for their Teams on Linux stuff, you'd have thought they could do the same for this, and drop the entry in /etc/yum.repos.d so it would be kept up to date when you patch your OS.

      But no, they didn't.

  8. FlamingDeath Silver badge

    Comedians

    Microsoft is an awful comedian that everyone just tolerates

    Their code, a bad joke, but everone still laughs and enjoys the show

    1. Anonymous Coward
      Anonymous Coward

      Re: Comedians

      No, we're not enjoying the show, we're just too drunk and too tired to care that the guy at the mic is a complete ass who's stoned out of his mind and told the same offensive "Yo mamma" joke three times in the past 10 minutes.

  9. ITS Retired

    This appears to be more proof that Microsoft has over run its ability to maintain its own products.

    1. nijam Silver badge

      > ... Microsoft has over run its ability to maintain its own products

      Did it ever have that ability?

      1. simonlb

        Yes, shortly before releasing MS-DOS 4. It went downhill rapidly after that.

  10. boblongii

    "Cheap" for a reason

    Our place went to Azure because of price - that price being about 3x the cost of running our existing datacentre, but MS didn't get where they are by people making rational decisions.

    It very quickly became clear that the support staff know fuck all about anything, and their "engineers" have a weak grasp of Windows, let alone Linux.

    Now they've revised their pricing they're not even cheap compared to AWS and when we started talking to AWS about migrating it immediately became clear that th people we were talking to actually had used a computer before and might even, gasp!, have a clue about what they're being paid to have a clue about.

    I'd far rather move back in-house but that boat has sailed, struck and iceberg, and sunk.

    1. Nunyabiznes

      Re: "Cheap" for a reason

      I just don't understand why so many managers insist on going cloud - especially when there is a robust infrastructure in place already. (Acknowledging that there are certainly some use cases where cloud services are the correct technical solution.)

      Ours is forcing us down this path, costing us much more than previously, and getting worse service and security.

      Some people are stupid - not their fault, their parents shouldn't have bred. These managers are willfully ignorant, which is very much on them.

      1. Alister

        Re: "Cheap" for a reason

        I just don't understand why so many managers insist on going cloud

        It's because the beancounter mindset worships OPex, and considers CAPex as the work of the devil.

        Going cloud means your IT spend becomes OPex, and they simply don't care if it's 3 x the annual spend if you went with hardware.

        1. hoola Silver badge

          Re: "Cheap" for a reason

          And all you need to worry about is managing the SLAs. If something breaks, write an email or phone the TAM, or whatever then put feet up on desk, job done.

          Techies have pretty much gone and the few that are left are tearing their hair out trying to field of the crap that is now coming downstream from Manglement and upstream from totally alienated users.

          BUT, CIO, CFO etc are all happy because at that level everything is squeaky clean, woolly suits come in with hampers and expensive lunches whilst the next piece of lunacy is plotted.

      2. boblongii

        Re: "Cheap" for a reason

        "I just don't understand why so many managers insist on going cloud "

        In our case it was customer-driven. Basically, we were told that if we didn't offer a "cloud solution" then our largest clients were leaving.

        Now they're on the cloud, paying 3x the price and discovering that, yes, if you ask on Monday for a bigger VM then the cloud *can* say "Sorry, we don't have any capacity; call back next week".

        And all the security issues that have to be guarded against still have to be guarded against while there's a slew of new dangers and points of failure.

  11. LeoP

    Moronity factor of nearly 100 mD

    I petition the Register for a new unit of measurement - for moronity (this is the evil flavour, let's use "idiocy" for the foolish-but-not-evil flavour)

    I propse the natural choice: The Donald

    On such a scale, this would come up to nearly 0.1D (or just shy of 100mD)

    1. Ken Hagan Gold badge

      Re: Moronity factor of nearly 100 mD

      For a less partisan choice of unit: the Darwin.

      One Darwin is a degree of stupidity that would, in the correct circumstances, cause you to be removed from the gene pool.

      Also, if you manage a level of more than one Darwin without being removed, you are said to be super-idiotic.

  12. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021