Skip to Content

Researchers Discovered a Big Security Flaw In This Important Microsoft Product

Researchers have found a big security hole in some popular Microsoft software that they speculate could have impacted the company’s Azure cloud computing service.

Check Point researchers revealed their findings on Wednesday about a security vulnerability that affects Microsoft’s Hyper-V software, used by companies to create so-called virtual machines. With virtual machines and related virtualization technology, a single computer can function as several, letting companies more efficiently operate their data center infrastructure.

Hyper-V is an important virtualization product for Microsoft that is used in Azure and Windows 10, according to Check Point.

The security flaw was related to a previous bug Check Point discovered that affected Microsoft’s Remote Desktop Protocol (RDP) software, widely-used by corporate IT administrators to remotely access employee computers for troubleshooting.   

Check Point’s head of cyber research, Yaniv Balmas, told Fortune that a hacker could exploit the flaw to take control of a computer. All the hacker must do is to trick victims — though a phishing attack, for example—into unwittingly connecting their computers to the hacker's malware-infected machine via the RDP software.

Although Check Point notified Microsoft about the original RDP bug, Microsoft decided the flaw wasn’t serious enough to create a software patch to fix the problem, Balmas said. After Check Point publicly released its findings about the original RDP bug, other security researchers contacted the company to ask if Check Point researchers were aware if the flaw affected the Hyper-V software as well, Balmas said.

Some of the same technology that powers RDP is also used for the “enhanced session” feature within Hyper-V that lets people remotely connect their computers to virtual machines.

Realizing that the original vulnerability impacted a commonly used Microsoft virtualization product, Balmas said Check Point contacted Microsoft again, which changed its tune about fixing the problem.

“When we told this to Microsoft, they said, ‘Hold on a second, you’re right, this is big,'” Balmas said. “Then they started taking care of this very quickly, very responsibly, and did a very good job.”

A Microsoft spokesperson confirmed that the company fixed the security bug in July. It's unclear whether any hackers used the flaw to access anyone's computer.

“Customers whoapply the update, or have automatic updates enabled, will be protected,” the spokesperson said in a statement. “We continue to encourage customers to turn on automatic updates to help ensure they are protected.”

Balmas speculated that the vulnerability affected Microsoft’s Azure cloud computing service in some way, because Hyper-V helps Azure create and manage virtual machines for users. He said he asked Microsoft if the vulnerability Check Point discussed was “applicable to Azure” to verify his assumption, but the company never directly responded.

Although Check Point found the Hyper-V flaw, it couldn't verify whether it impacted Azure because that would have required engaging in hacking others.

“This is not something we can do legally or ethically,” Balmas said.

Microsoft did not respond to Fortune’s inquiry into whether the security flaw affected Azure in some way.

“We really can’t get a straight answer for them, and I can understand why,” Balmas said. It’s likely Microsoft does not want to draw any negative attention to possible security holes in Azure.

Check Point announced its findings at the annual Black Hat cybersecurity conference in Las Vegas.

Security in cloud computing has recently become a hot topic, with Capital One, an Amazon Web Services customer, admitting that a hacker and former-AWS employee illegally accessed the personal information of over 100 million of its credit card users.   

Coincidentally, earlier this week, Microsoft debuted Azure Security Lab, which lets outside researchers test security flaws in Azure without breaking the entire service. Researchers who spot and exploit Azure security bugs could potentially earn up to $300,000, the company said.

Balmas said that the new Azure Security Lab will help the Check Point researchers continue their testing of the flaw it found.

“So this makes it easier for us,” Balmas said. “It came after we complained.”

More must-read stories from Fortune:

What you need to know about 8chan, the controversial site tied to the El Paso shooting

Verizon’s unlimited plans are getting cheaper. Here’s what you should know

—What CEOs, bankers, and tech execs think about a coming recession

—How an alleged Amazon theft ring got the goods

—Boeing adds a second flight control computer to the 737 Max

Catch up with Data Sheet, Fortune's daily digest on the business of tech.