What you need to know
- Windows 365 is Microsoft's new cloud PC service.
- It contains a big security vulnerability.
- Using the right program, users can acquire logged-in users' Azure credentials via Windows 365.
No more than a few days ever pass between massive Windows-related PC vulnerability stories. Currently, there's the neverending PrintNightmare saga, as well as a serious vulnerability affecting Windows 365, Microsoft's new cloud PC service. The issue would allow a malicious individual to gain the Azure credentials of individuals logged into Windows 365.
As reported by BleepingComputer, you'd need to have administrative privileges in order to run the specific program capable of exploiting the vulnerability and putting Azure credentials in plaintext. So, for most people, there won't be a major risk, assuming they're not sharing PC admin privileges with anyone they don't trust. However, imagine you're one of the many people who fall victim to phishing schemes, which then results in handing over control of your PC to a cybercriminal. Once they're in there and can remotely run applications and programs on your machine, they can easily utilize the program to sweep up your Azure credentials through Windows 365.
Given that Windows 365 is a business-and-enterprise-focused feature, one can imagine how dangerous credential theft would be if one threat actor infiltrates a W365 machine with corporate info running the backend of things.
As Benjamin Delpy told BleepingComputer, Windows Hello, 2FA, Windows Defender Remote Credential Guard, and other tools would typically be the way to prevent the above issue from existing and threatening users, but said tools aren't in Windows 365 yet, leaving it particularly vulnerable.
Windows 365 is a new service from Microsoft, so there's a chance all the aforementioned security items will be added in time. For now, watch out. As useful as a cloud Windows 11 or Windows 10 PC can be, it's not without risks.
