Amazon Web Services (AWS) and other public cloud service providers are coming under fire for not patching their cloud systems in a timely manner. According to security firm Bkav, an AWS cloud server running Microsoft (MSFT) Windows Server with auto updating turned off was responsible for one of its customers becoming infected with malware.
Ngo Tuan Anh, vice president of Internet Security at Bkav, posted a blog this week outlining how a customer had reported signs of malware on its systems. Anh noted when his company traced the issue back, it led to an AWS cloud server running Windows Server 2003 that had last been patched in October 2009 and had auto update turned off.
"Five years are more than enough for hundreds or even thousands of flaws to be exposed and exploited, and in light of high level of Internet connection nowadays, the possibility of being penetrated is indisputable. We executed a test with dangerous proof-of-concept code MS12-020, which is widely publicized on the Internet, and easily brought the customer’s server down," Anh wrote.
Bkav took the investigation a step further by renting Amazon servers in different AWS regions around the world, and according to the company, the flaw existed each time. Sometimes the patches were more recent, but even so, many were only patched up until March 2012, Anh noted.
"In previous investigations, we always wondered why hackers were able to mobilize such a large number of servers for DDoS attacks, establishing phishing websites or spreading malware. The answer seems to be clear now because one third of Internet users access an Amazon AWS cloud site on average at least once a day," Anh wrote.
But the vulnerability isn't just an AWS one, Anh noted. He mentioned that Bkav tested Microsoft Azure, HP Public Cloud and GoGrid. Of the four public cloud infrastructure-as-a-service (IaaS) providers, Bkav found that only Microsoft was patching regularly and had auto-update turned on.
If the accusations are true, then it looks as though cloud providers need to step up their security game to ensure customers are appropriately protected.