Microsoft attacked over ‘grossly irresponsible’ security practice

Tenable’s CEO and former national cyber security director to the George W Bush administration, Amit Yoran, has hit out at Microsoft and accused the software giant of deliberately putting its customers’ security at risk by keeping them in the dark over the risks and vulnerabilities they face.

Yoran launched his attack after Tenable revealed the existence of a zero-day vulnerability in Microsoft Azure that, left unpatched, would enable limited, unauthorised access to cross-tenant applications and sensitive details – including, though not limited to, authentication secrets. He said Tenable customers – including an unnamed retail bank – are at this moment vulnerable to it.

He said Tenable had taken this issue to Microsoft at the end of March, but it had taken over three months for Redmond to issue a fix that turned out to be incomplete, and it would take until the end of September for the revised patch to be issued.

“Did Microsoft quickly fix the issue that could effectively lead to the breach of multiple customers’ networks and services? Of course not. They took more than 90 days to implement a partial fix – and only for new applications loaded in the service,” said Yoran.

“That means that as of today, the bank … is still vulnerable, more than 120 days since we reported the issue, as are all of the other organisations that had launched the service prior to the fix. And, to the best of our knowledge, they still have no idea they are at risk and therefore can’t make an informed decision about compensating controls and other risk mitigating actions.

“Microsoft claims that they will fix the issue by the end of September, four months after we notified them. That’s grossly irresponsible, if not blatantly negligent. We know about the issue, Microsoft knows about the issue, and hopefully threat actors don’t,” he said.

Yoran said the so-called shared responsibility model of cyber security espoused by public cloud providers, including Microsoft, was irretrievably broken if a provider fails to notify users of issues as they arise and apply fixes openly.

He argued that Microsoft was quick to ask for its users’ trust and confidence, but in return they get “very little transparency and a culture of toxic obfuscation”.

“How can a CISO, board of directors or executive team believe that Microsoft will do the right thing given the fact patterns and current behaviours? Microsoft’s track record puts us all at risk. And it’s even worse than we thought,” said Yoran.

“Microsoft’s lack of transparency applies to breaches, irresponsible security practices and to vulnerabilities, all of which expose their customers to risks they are deliberately kept in the dark about,” he added.

A Microsoft spokesperson said: “We appreciate the collaboration with the security community to responsibly disclose product issues. We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications.

“Microsoft’s lack of transparency applies to breaches, irresponsible security practices and to vulnerabilities, all of which expose their customers to risks they are deliberately kept in the dark about”