A cybersecurity company is openly criticizing Microsoft for allegedly displaying sluggishness in addressing a severe vulnerability that has posed a threat to the enterprise customers of the technology giant for several months.
In a LinkedIn post published on Wednesday, Amit Yoran, CEO of Tenable, expressed his concern over Microsoft’s response time to a critical flaw discovered in the Azure cloud computing platform by a Tenable security researcher in March. The flaw was deemed “critical” and could potentially enable hackers to gain unauthorized access to applications and sensitive data, including authentication secrets, belonging to enterprise customers employing Azure.
Yoran disclosed, “To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank.” Recognizing the gravity of the situation, Tenable promptly notified Microsoft about the vulnerability, fearing that it could lead to breaches across numerous customer networks.
Yoran criticized Microsoft for its delayed patch rollout and its failure to fully resolve the issue. He pointed out that it took Microsoft over 90 days to implement a partial fix, which was only applicable to new applications loaded onto the service. This means that organizations using the service prior to the fix are still vulnerable, including the bank mentioned in Yoran’s post.
The publication of Yoran’s blog post follows Senator Ron Wyden’s criticism of Microsoft’s cybersecurity practices after state-sponsored hackers infiltrated Microsoft services twice, during the 2020 SolarWinds hack and the more recent Outlook-based email hack.
Yoran raised concerns about Microsoft’s transparency and alleged a culture of “toxic obfuscation.” He believes that Microsoft’s assertions of trustworthiness are met with limited transparency in practice.
Microsoft defended its patching process, explaining that it entails a thorough investigation, development of updates for all affected product versions, and compatibility testing across various operating systems and applications. The company emphasized the delicate balance between promptness and quality in developing security updates.
Yoran’s LinkedIn post prompted responses from other cybersecurity executives. George Kurtz, CEO of cybersecurity firm Crowdstrike, agreed with Yoran’s sentiments, asserting that Microsoft’s actions place customers at risk and shift blame to victims when architectural problems arise.
