Microsoft is thinking about buying an Israeli security company that yesterday posted instructions on how to change Active Directory passwords by exploiting a design flaw.
Microsoft is talking to startup Aorato, according to a source quoted by The Wall Street Journal, with the possibility that a deal could be struck by the end of the summer. The buying price mentioned is $200 million.
Aorato sells what it calls a firewall designed specifically for Active Directory in order to identify attacks against the directory servers. The Directory Services Application Firewall does this by monitoring network traffic, establishing normal behaviors and flagging anomalies.
So the company has looked carefully at Active Directory and possible ways its security can be compromised.
The Aorato blog post by its research vice president Tal Be'ery details how an attacker could use the hash of a user's single-sign-on password to access other services than Active Directory. The attacker could also change the password, all without any of the malicious activity registering in event logs, Aorato says.
Microsoft minimized the importance of the attack, calling it a well-known limitation, and citing three ways to block changing passwords.
Be'ery disagrees. "While Microsoft considered the protocol's design limitation public and 'well known', it is the combination of the different aspects which makes this revelation novel," Be'ery's blog says. "In fact, each piece of the protocol within itself is indeed public knowledge, appearing in various public documents. However, the actual correlation- and its dire consequence -- when placing the pieces together has never been investigated before. ... The fact that this behavior is not logged has not been addressed by Microsoft."
Aorato posted Microsoft's comments along with its exploit.
Aorato has received $10 million in funding from investment firms that include ACCEL Partners, Innovation Endeavors, Glilot Capital Partners as well as angel investors.
The company came out of stealth mode in January, and its product can be deployed as an appliance or running on VMware or Hyper-V virtual machines.