Published in Cloud

Microsoft slammed for poor security

by on04 August 2023

Tries to keep too much secret

Software King of the world Microsoft has been slammed by a security company for its poor security on Azure and for encouraging a "culture of toxic obfuscation."

Tenable CEO Amit Yoran said Vole was "grossly irresponsible" and mired in a "culture of toxic obfuscation."

Yoran slammed Vole for failing to fix a "critical" issue that gives hackers unauthorised access to data and apps managed by Azure AD, a Microsoft cloud offering for handling user authentication inside large organisations.

Tenable notified Microsoft of the problem in March and Microsoft reported 16 weeks later that it had been fixed. Tenable researchers told Microsoft that the fix was incomplete. Microsoft set a date for providing a complete fix to September 28.

"To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank," Yoran wrote.

"They were so concerned about the issue's seriousness and ethics that we immediately notified Microsoft."

He continued: "Did Microsoft quickly fix the issue that could effectively lead to the breach of multiple customers' networks and services? Of course not. They took over 90 days to implement a partial fix -- and only for new applications loaded in the service."

In response, Microsoft officials wrote: "We appreciate collaborating with the security community to responsibly disclose product issues. We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications. Ultimately, developing a security update is a delicate balance between timeliness and quality while ensuring maximised customer protection with minimised customer disruption."

Microsoft said that the initial fix in June "mitigated the issue for the majority of customers" and "no customer action is required."

Yoran responded: "It now appears that it's either fixed, or we are blocked from testing. We don't know the fix or mitigation, so hard to say if it's truly fixed, or Microsoft put a control in place like a firewall rule or ACL to block us. Vendors usually inform us of the fix when we find vulns in other products so we can validate it effectively. With Microsoft Azure that doesn't happen, so it's a black box, which is also part of the problem. The 'just trust us' lacks credibility when you have the current track record."

Last modified on 04 August 2023
Rate this item
(1 Vote)