Why Did Microsoft Take 100 Days to Fix Exposed Private TLS in Windows?

Microsoft’s security team has been criticized for taking 100 days to fix a Windows vulnerability that exposed the Dynamics 365 transport layer security to hackers.

Microsoft Dynamics official Microsoft

was recently involved in a problem where hackers could potentially access a Mac. The company was fast to react, but caused other problems. While Cupertino worked quickly, it seems 's platform was similarly affected. Worse, has not been as proactive in attempting to fix the problem.

In 's case, a bug in MacOS High Sierra allowed the platform to ship without a root password. In theory, anybody with enough knowledge could log in to a locked Mac. Cupertino issued a rapid patch, which promptly broke file sharing features on the OS. The company returned with another patch, which was then undone by updates.

The point here is Apple failed miserably to solve the issue, but did try. In Microsoft's case, the vulnerability was different, and so was the way the company dealt with it. ITNews reports developer Matthias Gilwka discovered a flaw in the wildcard transport layer security (TLS) certificate.

This included a private key when building a sandboxed test environment for Microsoft Customer Relationship Manager, Enterprise Resource Planning, and . Exporting the key would give attackers the ability to decrypt traffic and impersonate the server.

“Since the attacker can use the original TLS certificate, there's no warning or error on the client side” Gilwka notes. “Just the green padlock indicating a secure connection. The users of this user acceptance (sandbox) systems are high-value targets. They are usually in key positions at the respective organization and have access to valuable information.”

While the vulnerability is worrying, it is not the most concerning aspect of this incident. Unfortunately, breaches and flaws happen. This means users are at the mercy of companies and how they react to such problems.

Microsoft's Slow Reaction

As mentioned, Apple acted quickly and ultimately botched it. Microsoft's response was no better, and arguably worse. Gliwka reported the flaw to Microsoft Security Response Centre (MSRC) in August. However, Microsoft says the problems did not meet “the bar for security servicing”.

The company reasoned an attacker would need admin credentials, so the vulnerability was not a big problem. Gliwka took the incident public in October with a tweet to Microsoft. Needless to say, the company swiftly promised a fix.

Despite this promise, Microsoft continued to drag its feet, with two Patch Tuesday coming and going. Indeed, the company only fixed the issue last week. That means it took Redmond 100 days from first report to fix.