The global vulnerability identified by Digia and Monti in Microsoft Power Pages has now been fixed

"The importance of cybersecurity and protection is only emphasized in today's world, where information systems are becoming increasingly complex, and unfortunately, the risks and threats targeting them are also growing," says Tarmo Karppinen, Chief Security Officer (CSO) at Digia.

Digia and Monti found the vulnerability in Microsoft's Power Pages solution during one of Digia’s delivery projects. Monti acted as a partner overseeing the project's cybersecurity implementation. Digia and Monti designed and implemented a patch in the delivery project, allowing the system to be used safely.

The vulnerability was promptly reported to Microsoft, which has now released a global fix for the Power Pages application for all users.
There is no known misuse of the vulnerability.

"At worst, the vulnerability could have allowed an attacker to execute malicious code in the system user's browser. However, exploiting the vulnerability would have required bypassing multiple protections," says Lauri Vehviläinen, Senior Security Expert at Monti.

Microsoft awarded Digia and Monti a $3,000 Bug Bounty reward for discovering the vulnerability. Digia and Monti have donated this amount to Mieli Meltal Health Finland to support a chat service aimed at youth having mental issues.

Lessons for all companies and organizations

Based on this case, Karppinen and Vehviläinen highlight things that all organizations should remember.

"Firstly, discovering this vulnerability reflects the importance of thorough cybersecurity testing. Information systems are typically built and developed through the collaboration of different actors, so cybersecurity must be ensured throughout the entire chain," says Karppinen.

At Digia, application security is part of the cybersecurity management system and thus part of every development project. However, says Karppinen, it is still essential that customer companies also understand and are ready to invest in cybersecurity.

"If you need to strengthen your expertise or resources, we encourage you to use third parties to support cybersecurity," says Karppinen.

Lauri Vehviläinen from Monti also emphasizes the importance of effective cooperation in improving cybersecurity, where "one designs, another implements, and a third one verifies."

"As a company developing and verifying cybersecurity, we are constantly in contact with our clients' other partners. Full marks to Digia for their comprehensive approach to cybersecurity, especially for their open and interested attitude towards the cybersecurity issues we raised. The handling and reporting of this particular vulnerability resulted from excellent cooperation," says Vehviläinen, who was involved in the discovery.

"Digia and Microsoft have a strong partnership spanning years. We work together to continuously develop a world-class product family that is safer and brings more value to our customers," says Samuli Forsman, Senior Delivery Group Director at Digia.

Info: Microsoft Power Pages and the fixed vulnerability
•    Microsoft Power Pages is an application for building web pages on the Microsoft Dynamics 365 business platform.
•    The system in which the vulnerability was found during a delivery project is an interface for the company's customers to the company's CRM system.
•    The vulnerability was found and fixed before it was known to have been exploited for misuse.
•    Microsoft has implemented a global fix for all users.

More information:

Tarmo Karppinen
Chief Security Officer (CSO), Digia
tel. 050 438 8544
tarmo.karppinen(a)digia.com

Samuli Forsman
Senior Delivery Group Director, Digia
tel. 040 709 2521
samuli.forsman(a)digia.com

Oula Hallman
CEO, Cybersecurity company Monti
tel. 050 556 7764
oula(a)monti.fi