A cybersecurity firm is calling out Microsoft for allegedly taking too long to patch a serious vulnerability that has threatened the company’s enterprise customers for months.
“Microsoft claims that they will fix the issue by the end of September, four months after we notified them,” Amit Yoran, CEO of Tenable, wrote in a Wednesday LinkedIn post.
According to Yoran, a Tenable security researcher discovered a “critical” flaw in Microsoft’s Azure cloud computing platform in March. The vulnerability could allow a hacker to access applications and sensitive data, including authentication secrets, from enterprise customers that use Azure.
“To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank,” Yoran said.
Tenable notified Microsoft about the problem, fearing the vulnerability could help a hacker breach numerous customer networks. But according to Yoran, Microsoft was slow to roll out a patch and then failed to fully fix the problem.
"They took more than 90 days to implement a partial fix—and only for new applications loaded in the service," he alleges. "That means that as of today, the bank I referenced above is still vulnerable, more than 120 days since we reported the issue, as are all of the other organizations that had launched the service prior to the fix."
Yoran published the blog post days after Sen. Ron Wyden harshly criticized Redmond for “negligent cybersecurity practices” after state-sponsored hackers breached Microsoft services twice: once during the 2020 SolarWinds hack, and again in the Outlook-based email hack that was disclosed last month.
Wyden is calling on federal authorities to investigate Microsoft over its cybersecurity practices, which Yoran also alleges contains clear problems. “What you hear from Microsoft is ‘just trust us,’ but what you get back is very little transparency and a culture of toxic obfuscation,” he says.
Microsoft tells PCMag it has fully addressed the vulnerability for all customers. It also claims that the initial fix rolled out in June mitigated the issue for a majority of customers.
On why the patch was so slow to roll out, Microsoft is indicating it takes time to develop a quality fix. “We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications,” the company says. “Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption.”
Since Yoran posted on LinkedIn, other cybersecurity executives have chimed in. “Amit, I couldn't agree more,” wrote George Kurtz, the CEO of cybersecurity firm Crowdstrike. “Said in simple terms, Microsoft puts customers at risk. Period. And when there is a problem with their broken architecture, they blame shift to the victim rather than take responsibility.”