As most cloud infrastructure providers announced fixes to the worrying Heartbleed OpenSSL flaw, Microsoft’s Azure cloud has emerged largely unscathed — but customers running Linux images on it may be affected, the company warned.
As of Wednesday, public cloud providers Google, Amazon, Rackspace, Joyant, and CenturyLink had issued updates to inform customers what systems had been patched and what remediation steps needed to be done for components that may be affected by the Heartbleed bug.
For a quick recap, the memory leakage bug means attackers can hit up affected servers to extract passwords, private keys, and session tokens, among other data.
Late on Wednesday Microsoft also, somewhat belatedly, issued its notification for Azure customers since “many customers are wondering whether this affects Microsoft’s offerings, specifically Microsoft Azure”, its Azure blog said yesterday.
According to Microsoft, “most” Microsoft Services, including Microsoft Account and Azure, were not affected by the OpenSSL vulnerability and of course the Windows implementation of SSL/TLS were not impacted.
“Microsoft Azure Web Sites, Microsoft Azure Pack Web Sites and Microsoft Azure Web Roles do not use OpenSSL to terminate SSL connections. Windows comes with its own encryption component called Secure Channel (aka SChannel), which is not susceptible to the Heartbleed vulnerability,” it said.
However, it warned that customers running Linux images in Azure Virtual Machines (which they’ve been able to do since 2012, when the Heartbleed bug first entered OpenSSL) could very well be vulnerable.
“We recommend that all customers who may be vulnerable follow the guidance from their software distribution provider,” Microsoft said, pointing to guidance from US Cert.
SOURCE: Liam Tung