back to article Detailed: Critical hijacking bugs that took months to patch in Microsoft Azure Defender for IoT

SentinelOne this week detailed a handful of bugs, including two critical remote code execution vulnerabilities, it found in Microsoft Azure Defender for IoT. These security flaws, which took six months to address, could have been exploited by an unauthenticated attacker to compromise devices and take over critical …

  1. redpawn

    The Key is...

    under the doormat, on the door sill, in the postbox, and under the cute snail in the planter by the front door. In other words, all is secure as long as you don't count the missing back door.

    1. A random security guy

      Re: The Key is...

      WIth MSFT: Everyone's key is under their doormats and they are all the same.

  2. Joe W Silver badge
    Thumb Up

    Full of great ideas!

    Like this gem: "because the "secret" API token needed to do this is shared across all Defender for IoT installations worldwide" and " the UUID parameter is not properly sanitized before being used in an SQL query", which means it is likely stupid dynamic SQL, just concatenating strings together instead of using variables in the query (which also need to be treated with some care) - and this also seems to be the case for several of the honourable mentions further down in the text. And then there is the race condition that bypasses the security check and creates a new root password? That's gold! Sounds like somebody had one of those "great idea" moments (no, I am not immune to those, but even in our small team we do some code reviews, which catches all sorts of stuff).

    They owe me a new keyboard. I have learned not to drink coffee when reading the BOFH, apparently I must add "reading about bugs" to the list....

  3. Anonymous Coward
    Anonymous Coward

    Just stop it

    Running code authored by this shit show is negligent. Microsoft have proven over decades that they are incapable of creating secure code. If you deploy their garbage you are responsible for the leaving all your doors and windows open.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like