Microsoft's handling of security vulnerabilities has been criticized by security expert Amit Yoran, CEO of Cybersecurity firm Tenable. Yoran argues that Microsoft's lack of transparency and the minimal effort the company applies to addressing discovered security vulnerabilities expose their customers to risks they are deliberately kept in the dark about.
Tenable, a Baltimore-based security firm, discovered and reported an unauthorized access issue to cross-tenant applications in Azure to Microsoft in March. This issue, if exploited, could lead to attackers accessing sensitive data. The Tenable security team was able to access sensitive data connected to an undisclosed financial institution during the discovery period.
However, Microsoft took over three months to only partially address the issue, according to Yoran. He says that Microsoft´s partial fix is not enough and, in the case of those running older applications, like the financial institution mentioned, many organizations are still at risk of a serious data breach. Yoran is highly critical of Microsoft´s handling of the issue and calls it “grossly irresponsible”.
“That means that as of today, the bank I referenced above is still vulnerable, more than 120 days since we reported the issue, as are all of the other organizations that had launched the service prior to the fix. And, to the best of our knowledge, they still have no idea they are at risk and therefore can't make an informed decision about compensating controls and other risk mitigating actions. Microsoft claims that they will fix the issue by the end of September, four months after we notified them. That's grossly irresponsible, if not blatantly negligent. We know about the issue, Microsoft knows about the issue, and hopefully threat actors don't.
Cloud providers have long espoused the shared responsibility model. That model is irretrievably broken if your cloud vendor doesn't notify you of issues as they arise and apply fixes openly.
What you hear from Microsoft is “just trust us,” but what you get back is very little transparency and a culture of toxic obfuscation. How can a CISO, board of directors or executive team believe that Microsoft will do the right thing given the fact patterns and current behaviors? Microsoft's track record puts us all at risk. And it's even worse than we thought.”
Microsoft's Response to Security Vulnerabilities
Microsoft defended its handling of security vulnerabilities, stating it follows “an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications.” The company emphasized the delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption.
However, Yoran finds Microsoft's timetable for rolling out a comprehensive fix by the end of September “blatantly negligent.” He criticizes Microsoft's culture of “toxic obfuscation” and lack of transparency, arguing that it puts all of us at risk.
Public Condemnation and Calls for Accountability
This criticism of Microsoft's handling of security issues comes on the heels of last week's public condemnation of the company by U.S. Senator Ron Wyden of Oregon. In a publicly released letter, Wyden requests that Attorney General Merrick Garland, Federal Trade Commission Chair Lina Khan, and Cybersecurity and Infrastructure Security Agency Director Jen Easterly “take actions” against Microsoft over its mishandling of the SolarWinds Chinese espionage attack against the U.S. government in 2020 and 2021.
Microsoft's products have accounted for an aggregate 42.5% of all zero days discovered since 2014, according to data from Google Project Zero. This, along with Microsoft's lack of transparency and accountability in its security practices, has led to increased scrutiny and calls for change.