Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
0xbadcafebee 3 days ago

I have to give Microsoft props here. Most companies don't bother to lock things down well enough, but they were thorough.

bravesoul2 3 days ago | parent | next [-]

I bet the container was in an isolated VM too.

j-krieger 3 days ago | parent [-]

Every infra I ever worked in used this pattern to a degree. Many proxmox vm's in a kubernetes cluster.

silverliver 3 days ago | parent [-]

I've seen people manually create a separate unprivileged user on the host for each VM they run, so for them the pattern becomes:

1. VM running on hypervisor as unprivileged host user

2. Container running in VM as unprivileged vm user

3. Payload running in container as unprivileged container user.

Not sure whether layered isolation is worth the increased attack surface. For normal users (not targets of state actors), it probably is.

3 days ago | parent | prev | next [-]
[deleted]
stogot 3 days ago | parent | prev [-]

I would give the one engineer the credit for doing things better, not Microsoft. Microsoft overall culture of security is terrible. Look at the CISA report.

0xbadcafebee 3 days ago | parent | next [-]

Okay, so I give the team that put this together credit. Hopefully the parent company sees based on this that it's worth letting teams invest more in quality and security work, over features.

dudeinjapan 3 days ago | parent [-]

We should give all the credit to the Product Manager because he told the engineers to make it secure.

chrz 3 days ago | parent [-]

Lets send a thank you letter to Bill Gates

3 days ago | parent | next [-]
[deleted]
dudeinjapan 3 days ago | parent | prev [-]

I presume you mean Bill Gates Sr. because he fathered Bill Gates.

bigfatkitten 3 days ago | parent | prev | next [-]

Microsoft has islands of security excellence in what these days is a sea of mediocrity.

3 days ago | parent | prev | next [-]
[deleted]
kenjackson 3 days ago | parent | prev [-]

What CISA report?

aspenmayer 3 days ago | parent | next [-]

I’m guessing they mean this one:

https://www.cisa.gov/news-events/bulletins/sb25-167

> Microsoft--Microsoft 365 Copilot

> Description Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.

> Published 2025-06-11

> CVSS Score 9.3

> Source Info CVE-2025-32711

https://www.cve.org/CVERecord?id=CVE-2025-32711

And maybe they are referring to this engineer from the linked advisory notes?

https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...

> Acknowledgements

> Arantes (@es7evam on X) with Microsoft Aim Labs (Part of Aim Security)

stogot 3 days ago | parent | prev | next [-]

This one: https://www.cisa.gov/sites/default/files/2025-03/CSRBReviewO...

NemosDemos 3 days ago | parent | prev | next [-]

Not OP, but guessing they were referencing this one:

https://www.cisa.gov/resources-tools/resources/CSRB-Review-S...

homarp 3 days ago | parent | prev [-]

https://news.ycombinator.com/item?id=39922066