News: 0179358590

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

This Microsoft Entra ID Vulnerability Could Have Been Catastrophic (wired.com)

(Friday September 19, 2025 @05:30AM (msmash) from the everyone-gets-admin-privileges dept.)


Security researcher Dirk-jan Mollema discovered two vulnerabilities in Microsoft's Entra ID identity platform that could have granted [1]attackers administrative access to virtually all Azure customer accounts worldwide. The flaws involved legacy authentication systems -- Actor Tokens issued by Azure's Access Control Service and a validation failure in the retiring Azure Active Directory Graph API.

Mollema reported the vulnerabilities to Microsoft on July 14. Microsoft released a global fix three days later and found no evidence of exploitation. The vulnerabilities would have allowed attackers to impersonate any user across any Azure tenant and access all Microsoft services using Entra ID authentication. Microsoft confirmed the fixes were fully implemented by July 23 and added additional security measures in August as part of its Secure Future Initiative. The company issued a CVE on September 4.



[1] https://www.wired.com/story/microsoft-entra-id-vulnerability-digital-catastrophe/


"and found no evidence of exploitation" (Score:2)

by oldgraybeard ( 2939809 )

"granted attackers administrative access" or the attackers did a good job cleaning up!

WTF is Entra ID (Score:4, Interesting)

by PDXNerd ( 654900 )

I had to look this up, apparently Entra ID is an evolution of ADFS or Active Directory Federation in the cloud. I guess you get what you deserve if you're using Microsoft security products in the cloud. Also, Entra ID is a terrible name but AD is a terrible product so I guess its an evolution of the same terrible security issues.

Re: (Score:2)

by arglebargle_xiv ( 2212710 )

> I guess you get what you deserve if you're using Microsoft security products in the cloud.

I guess you get what you deserve if you're using the cloud.

There, FTFY.

Linux Rally Held in Pennsylvania

HARRISBURG, PA -- Thousands of Linux advocates gathered at the Pennsylvania
state capitol building earlier today. They were protesting the state's recent
three year deal with Microsoft to install Windows NT on all state computer
systems. "Whatever pointy haired boss made this deal ought to be shot on
sight," one protestor exclaimed. "Windows NT is a piece of [expletive] compared
to Linux. The taxpayers of Pennsylvania are going to be sorry three years from
now when this 'deal' concludes. The state has sold its soul to Satan [Bill
Gates]."

Brief hostilities broke out when a group of police officers armed with riot
gear descended on the protestors. After the police threatened to use tear gas,
the protestors threw thousands of Linux CDs at them. Once the supply of CDs was
depleted, the protest became peaceful again. "I saw several policemen pick up
Linux CDs and put them in their pockets," one protestor noted.

The protest broke up a few minutes later once it was realized that the state
legislature wasn't in session. "We may have wasted our time today," one
advocate said, "But we'll be back later." State and Microsoft officials were
unavailable for comment at press time. How typical.