this post was submitted on 07 Aug 2023
49 points (98.0% liked)

cybersecurity

3030 readers
2 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Enjoy!

founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 27 points 1 year ago

Actually, two things went badly wrong here. The first is that Azure accepted an expired signing key, implying a vulnerability in whatever is supposed to check key validity. The second is that this key was supposed to remain in the the system’s Hardware Security Module—and not be in software. This implies a really serious breach of good security practice. The fact that Microsoft has not been forthcoming about the details of what happened tell me that the details are really bad.

Jesus fucking Christ..... I really did not expect this from Microsoft I have to say. The first one is strange already but the second one? Really looking forward to their explanation of this cluster fuck....