The CEO of cybersecurity company Tenable has taken to LinkedIn to heavily criticize Microsoft on its practices when it comes to patching high-severity flaws and other dangerous vulnerabilities.
In a post published on (somewhat ironically) the Microsoft-owned platform, Amit Yoran said Microsoft has a history of non-transparent behavior with regards to breaches and vulnerabilities, “all of which expose their customers to risks they are deliberately kept in the dark about”.
The CEO says that his company discovered a high severity flaw in the Azure platform in March 2023, which could allow threat actors to quickly discover authentication secrets. To emphasize the importance of the findings, Yoran said that the analysts discovered secrets to a bank, and soon after, they notified Microsoft of the issues.
Many firms at risk
The Redmond software giant acknowledged the findings within days, but took some three months to release a patch which, according to Yoran, was partial and did not address the issue fully. It only worked for new applications loaded in the service.
“That means that as of today, the bank I referenced above is still vulnerable, more than 120 days since we reported the issue, as are all of the other organizations that had launched the service prior to the fix,” he says. “And, to the best of our knowledge, they still have no idea they are at risk and therefore can’t make an informed decision about compensating controls and other risk mitigating actions.”
According to Yoran, Microsoft promised a fix by the end of September, which is “grossly irresponsible, if not blatantly negligent,” he added.
His writeup sparked quite the debate on LinkedIn, with almost a hundred different comments and remarks. Many of the people who chimed in agree with Yoran’s remarks, with one cynically saying “so you’re basically saying that nothing has changed in 30 years?”.
Microsoft is yet to comment on these allegations.
Microsoft claims that they will fix the issue by the end of September, four months after we notified them. That’s grossly irresponsible, if not blatantly negligent. We know about the issue, Microsoft knows about the issue, and hopefully threat actors don’t.
Cloud providers have long espoused the shared responsibility model. That model is irretrievably broken if your cloud vendor doesn’t notify you of issues as they arise and apply fixes openly.
What you hear from Microsoft is “just trust us,” but what you get back is very little transparency and a culture of toxic obfuscation. How can a CISO, board of directors or executive team believe that Microsoft will do the right thing given the fact patterns and current behaviors? Microsoft’s track record puts us all at risk. And it’s even worse than we thought.