Microsoft has closed-off a cross-site scripting (XSS) vulnerability in Office 365. The vulnerability, if exploited, could have enabled anyone with a mailbox in an enterprise using Office 365 to obtain administrative permission over the entire company’s Office 365 environment. What does that do to your level of trust in the product?
Office 365 Vulnerability
In a blog post detailing how the script could be used, Byrne noted that this vulnerability had the potential to cause catastrophic damage in a large enterprise. He wrote:
This is a perfect example of a very simple exploit which has a huge possibility to cause billions of dollars’ worth of damage. As we move further and further into the cloud, we need to be more and more aware of the potential security risks. There are some large, high profile companies now using Microsoft Office 365 and I know that they will be very concerned to hear about these types of exploits. No one knows if someone much more malicious discovered this bug before I did and has used it for profit by extracting sensitive information."
Office 365 vulnerability
Office 365 One Year On
It is ironic that this exploit is coming to light just a week before Microsoft celebrates the first birthday of Office 365.
Office 365 was released last Jan. 29, and Microsoft is already beginning to whoop-it-up over the achievements around the product and the amount of traction it has gained in the enterprise space. Jose Waldo, senior director of Microsoft’s cloud partner strategy announced in a blog post for the Worldwide Partner Conference 2014 last week that Office 365 has been the fastest growing product in Microsoft’s history, including SharePoint.
He said that one in four of Microsoft's enterprise clients subscribes to Office 365. In addition, in the past 12 months, there has been a 150 percent increase in the number of small-to-medium (SMB) enterprises that have signed up.
As an aside, he also said Microsoft is adding 1,000 customers per day to Azure, which currently has 250,000 users, and sold 100 million licenses of Windows 8 already, certifying 3,400 devices.
These are Microsoft’s own figures, and there is no real way of confirming them independently. Even so, anecdotal evidence from enterprise and small businesses suggests Office 365 has gained considerable traction since its launch.
It must be embarrassing then for Microsoft to be forced to fix a bug for its birthday. In fairness, though, it responded to Byrne’s reports about the bug immediately and sealed it before there was too much damage — or at least damage that was reported, as it is unlikely that a company that has been targeted is going to publicize it.
Byrne, in fact, points out that Microsoft was exemplary in its response to the vulnerability. That's not always the case when Byrne alerts companies to probable bugs:
Microsoft, to its credit, did a very good job by quickly fixing this issue and communicated effectively with me during the entire process. I’ve heard many horror stories from people who have reported bugs to other companies and got no-where, leaving them with little choice but to publicly disclose the issue before it was fixed."
Applications and Trust
This underlines a problem that we reported on last week when research from Cisco pointed out that many systems users are placing too much trust in the infallibility of their software and devices. If, as Byrne states here, many companies fail to respond to reports of problems with their software, then the case as Cisco put it becomes even stronger.
- Endangered Species: The Corporate Intranet
- Forget Intranets, Give Me an ESN
- Are These Vendors the Best at Social Media Monitoring?
- Beware Red Herrings: Intranet vs. ESN is a Sham
- Multitasking? You're Killing Yourself for Nothing
- Microsoft's New BI Tool Plays Nice, Even With 3rd Party Vendors
- Discussion Point: Why Would You Buy a Proprietary CMS?