Microsoft Criticized for 'Grossly Irresponsible' Security Practices

Tenable CEO Amit Yoran argues that Microsoft's handling of security vulnerabilities is far from adequate in keeping the public safe.

Microsoft has come under fire about how it handles security vulnerabilities by security expert Amit Yoran, CEO of Tenable.

In a blog posted to LinkedIn on Wednesday, Yoran argued that Microsoft's lack of transparency and the little effort the company applied to addressing discovered security vulnerabilities "expose their customers to risks they are deliberately kept in the dark about."

Yoran pointed to the Baltimore-based security firm's recent Microsoft security vulnerability disclosure as an example. Tenable discovered and reported an unauthorized access issue to cross-tenant applications in Azure to Microsoft in March, which, if exploited, could lead to attackers accessing sensitive data. To show how severe the issue was, the Tenable security team was able to access sensitive data connected to an undisclosed financial institution during the discovery period.

Microsoft then took over three months to only partially address the issue, according to Yoran.

"Did Microsoft quickly fix the issue that could effectively lead to the breach of multiple customers' networks and services? Of course not. They took more than 90 days to implement a partial fix -- and only for new applications loaded in the service."

Yoran argued that the partial fix is not enough and, in the case of those running older applications, like the financial institution mentioned, many organizations are still at risk of a serious data breach. And for Microsoft's part, Yoran said that Microsoft has only promised that it will continue to address the situation, with sparse details provided beyond that.  

According to Yoran's blog, Microsoft still plans to roll out a comprehensive fix for the issue by the end of September – a timetable that Yoran finds "blatantly negligent."

"What you hear from Microsoft is 'just trust us,' but what you get back is very little transparency and a culture of toxic obfuscation," wrote Yoran. "How can a CISO, board of directors or executive team believe that Microsoft will do the right thing given the fact patterns and current behaviors? Microsoft’s track record puts us all at risk. And it's even worse than we thought."

While not addressing the specific Azure issue brought up by Yoran, Microsoft did release a statement on Wednesday to defend its handling of security vulnerabilities, saying it follows "an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications."

"Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption," said Microsoft.

The Tenable CEO's criticism of Microsoft's handling of security issues comes on the heels of last week's public condemnation of the company by U.S. Senator Ron Wyden of Oregon. In publicly released letter, Wyden requests that Attorney General Merrick Garland, Federal Trade Commission Chair Lina Khan and Cybersecurity and Infrastructure Security Agency Director Jen Easterly "take actions" against Microsoft over its mishandling of the SolarWinds Chinese espionage attack against the U.S. government in 2020 and 2021.

"Microsoft never took responsibility for its role in the SolarWinds hacking campaign," wrote Wyden. "It blamed federal agencies for not pushing it to prioritize defending against the encryption key theft technique used by Russia, which Microsoft had known about since 2017."

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube