An investigation spurred by one of the customers of their security product has lead researchers of security company Bkav to an unexpected discovery: the servers provided by Amazon’s Cloud Service are riddled with vulnerabilities.
The customer in question complained about his server having been infected with spying and information-stealing malware despite the use of Bkav's antimalware solution.
While investigating how that might have happened, they discovered that Windows Server 2003 on Amazon’s cloud server was last updated in October 2009. What's more, the Auto Update was turned off.
"Five years are more than enough for hundreds or even thousands of flaws to be exposed and exploited, and in light of high level of Internet connection nowadays, the possibility of being penetrated is indisputable," the researchers noted. "We executed a test with dangerous proof-of-concept code MS12-020, which is widely publicized on the Internet, and easily brought the customer’s server down."
They then proceeded to rent several Amazon servers in America, Japan and England and test them, and they discovered the same problem. The only difference was that the date of the last update was early 2012.
These results made them consider the notion that other cloud service providers might offer similarly vulnerable servers, and they decided to investigate.
"In the case of HP Public Cloud, the patch is 8 months out-of-date (July 2013). And GoGrid, another big provider, has similar problem: Auto Update is not activated and the time of latest updates is April 2012," they shared. "Microsoft is the sole exception as this provider turns on Auto Update and has the latest update of the month. It seems that the giant provider is well-aware of the vulnerabilities in their own operating system."
Update - Sunday, 27 April 2014: This story is based on a blog post by Bkav. Amazon does not agree with their research, and their spokesperson sent us the statement below:
“The Amazon Machine Image AMI (AMI) referenced the Bkav blog was published in 2010 and is not on the AWS Marketplace, or available in the AMI catalog, making the entire premise of the blog incredibly misleading. AWS prominently features AMIs of the latest versions of Windows operating systems, complete with the most recent set of Microsoft patches, for AWS customers to launch a secure-by-default Windows instance. This means that when a customer launches a new Amazon EC2 AMI, they get the latest available software patches.
As a standard practice we release new, fully patched Windows AMIs within a week of Microsoft’s patch Tuesday. Customers can customize their Software Update settings in accordance with their corporate software patching policies and security best practices. This includes setting them to automatically check for updates, and choosing whether to download and install them manually or have them install automatically. Once a customer launches an instance of an AMI, they become responsible for managing its software updates, including the updates issued after the build or revision of that specific AMI. To do this for Windows instances, customers can use the Windows Update service, the Automatic Updates tool, or other software update tools they may have deployed in-house.
AWS makes AMIs available on the AWS Marketplace, and we encourage customers to find and use the AMIs we list there as they are vetted for viruses and vulnerabilities on an ongoing basis. In the case this blogger describes in his tests, the customer would have had to intentionally seek out and deploy an old AMI that is not on the AWS Marketplace, then forgo the security best practice of running a software update, in order to run a Windows instance that would allow unauthorized access."
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.