Microsoft Says Azure Cloud Services Safe From Heartbleed SSL Flaw
Microsoft has a silver lining to share during the Heartbleed crisis, at least for users of its Azure cloud services.
Addressing concerns about the OpenSSL flaw and its potential effects on Microsoft's expansive cloud services slate, the software giant revealed that Azure was safe from Heartbleed, Andrew Cushman, senior director of the Security Incident Response unit for Microsoft Azure, wrote in an April 9 blog post.
"Microsoft Account and Microsoft Azure, along with most Microsoft Services, were not impacted by the OpenSSL vulnerability," Cushman wrote. "Windows' implementation of SSL/TLS [Secure Sockets Layer/Transfer Layer Security] was also not impacted," he added.
His company does not employ OpenSSL to terminate SSL connections on Azure Web Sites, Pack Web Sites and Web Roles, Cushman wrote. "Windows comes with its own encryption component called Secure Channel (a.k.a. SChannel), which is not susceptible to the Heartbleed vulnerability."
Not all Azure customers are out of the woods, cautioned Cushman.
"Customers running Linux images in Azure Virtual Machines, or software which uses OpenSSL, may be vulnerable," he said. OpenSSL is commonly used on Linux-based servers. The company added support for Linux virtual machines to Microsoft Azure (formerly Windows Azure) in 2012.
It has not been a good week for the Internet at large, following the revelation that an encryption flaw called Heartbleed had been present in OpenSSL for two years before it was disclosed on April 7. The vulnerability affects roughly two-thirds of the world's Websites, a staggering estimate that has thrown Internet, e-commerce and cloud providers into a state of high alert.
The aptly-named Heartbleed vulnerability in OpenSSL (CVE-2014-0160), which sports a spot-on logo from security research firm Codenomicon, is present in the 1.0.1 version of the open-source Secure Sockets Layer (SSL) encryption service. Its name is derived from "TLS heartbeat read overrun," a bug in OpenSSL's TLS/DTLS (TLS/Datagram TLS) heartbeat extension.
If exploited, Web servers and clients could potentially "bleed" the contents of data stored in memory. The flaw has been patched in the hastily issued 1.0.1g update, and at least one major cloud provider has moved to stem the potential fallout.
Matthew O'Connor, a Google product manager, wrote in an April 9 blog post that his company had "assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps and App Engine."
Google Chrome, Chrome OS and Android, with the exception of Android 4.1.1 (Jelly Bean), are not affected, said O'Connor. Google last reported that patches were being applied to Cloud SQL and a fix for Google Search Appliance was in the works. Google Compute Engine customers are urged to manually update OpenSSL on their instances.