Microsoft has addressed a vulnerability in its Azure cloud services following criticism from security researchers. The flaw was first reported to Microsoft by cybersecurity firm Tenable on March 30, 2023. However, it wasn't until early June that Microsoft issued an initial fix, which was found to be insufficient in July. A complete mitigation was completed by Microsoft on August 2, 2023.
The Vulnerability and Its Potential Impact
The vulnerability concerned Power Platform Custom Connectors using Custom Code, a feature that allows customers to write code for custom connectors. If exploited, unauthorized access to sensitive data could occur. Tenable's security team was able to access sensitive data connected to an undisclosed financial institution during the discovery period.
Criticism of Microsoft's Handling of the Issue
Tenable CEO Amit Yoran criticized Microsoft's handling of the issue, stating that the company's lack of transparency and the minimal effort applied to addressing the vulnerability exposed their customers to risks they were deliberately kept in the dark about. He also claimed that Microsoft's partial fix was not enough and that many organizations, including the aforementioned financial institution, were still at risk of a serious data breach.
Microsoft defends its handling of security vulnerabilities, stating it follows an extensive process involving a thorough investigation, update development, and compatibility testing. The company emphasized the delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption.
This criticism of Microsoft's handling of security issues comes on the heels of last week's public condemnation of the company by U.S. Senator Ron Wyden of Oregon. In a publicly released letter, Wyden requested that Attorney General Merrick Garland, Federal Trade Commission Chair Lina Khan, and Cybersecurity and Infrastructure Security Agency Director Jen Easterly “take actions” against Microsoft over its mishandling of the SolarWinds Chinese espionage attack against the U.S. government in 2020 and 2021. Microsoft's products have accounted for an aggregate 42.5% of all zero days discovered since 2014, according to data from Google Project Zero.