Facepalm: Data from Google Project Zero says Microsoft products have accounted for 42.5 percent of all zero-day security vulnerabilities discovered since 2014. Now a security firm is accusing the Redmond corporation of being irresponsible and putting all its users at risk.
Tenable CEO Amit Yoran criticizes Microsoft for its irresponsible security practices and lack of transparency on breaches. Its Azure platform has dangerous vulnerabilities, but Microsoft has deliberately kept its customers in the dark about the risks. Redmond allegedly overlooked Azure vulnerabilities for months, even when security specialists knew the issues existed.
Yoran quotes a letter sent last week by Senator Ron Wyden to the Cybersecurity and Infrastructure Security Agency, the Department of Justice, and the FTC. In the letter, Wyden asked federal agencies to hold Microsoft accountable for its missteps and negligent cybersecurity practices, which provided Chinese state actors with a way to spy on United States officials.
In March 2023, Tenable investigated an “issue” in the Azure platform that could have enabled unauthenticated attacker to access cross-tenant applications and sensitive data. Hackers could have exploited the issue to compromise authentication secrets, Yoran says. The Tenable team was able to “quickly” discover authentication secrets to a bank.
The bank was so concerned with the issue that Tenable notified Microsoft “immediately.” However, Microsoft didn’t patch the vulnerability, deciding to implement a partial fix after 90 days instead. The patch was holding for new applications loaded on Azure only while the older ones were still at risk.
Today, more than 120 days after Tenable discovered the issue, the bank and the other organizations that joined the Azure platform prior to the partial fix are still at risk. Furthermore, Yoran claims they likely have no idea they aren’t protected, so they can’t make an informed decision about potential mitigations.
“[Microsoft’s behavior] is grossly irresponsible, if not blatantly negligent,” Yoran said.
Security analysts are well aware of the issue. Microsoft also knows about the security gap, “hopefully,” threat actors don’t know anything about it. Cloud providers like Microsoft have heavily promoted a “shared responsibility model” for cloud security, but that model is “irretrievably broken” when the cloud vendor doesn’t notify customers of problems.
Microsoft says, “just trust us” with security, but what customers get back for that trust is very little transparency and a “culture of toxic obfuscation.” According to Tenable, the company’s track record with security remediations puts all Azure customers and third-party actors at risk.