adam121 - stock.adobe.com
Tenable’s CEO and former national cyber security director to the George W Bush administration, Amit Yoran, has hit out at Microsoft and accused the software giant of deliberately putting its customers’ security at risk by keeping them in the dark over the risks and vulnerabilities they face.
Yoran launched his attack after Tenable revealed the existence of a zero-day vulnerability in Microsoft Azure that, left unpatched, would enable limited, unauthorised access to cross-tenant applications and sensitive details – including, though not limited to, authentication secrets. He said Tenable customers – including an unnamed retail bank – are at this moment vulnerable to it.
He said Tenable had taken this issue to Microsoft at the end of March, but it had taken over three months for Redmond to issue a fix that turned out to be incomplete, and it would take until the end of September for the revised patch to be issued.
“Did Microsoft quickly fix the issue that could effectively lead to the breach of multiple customers’ networks and services? Of course not. They took more than 90 days to implement a partial fix – and only for new applications loaded in the service,” said Yoran.
“That means that as of today, the bank … is still vulnerable, more than 120 days since we reported the issue, as are all of the other organisations that had launched the service prior to the fix. And, to the best of our knowledge, they still have no idea they are at risk and therefore can’t make an informed decision about compensating controls and other risk mitigating actions.
“Microsoft claims that they will fix the issue by the end of September, four months after we notified them. That’s grossly irresponsible, if not blatantly negligent. We know about the issue, Microsoft knows about the issue, and hopefully threat actors don’t,” he said.
Timeline of Tenable’s disclosure
- 30 March 2023: Tenable researchers discover and report the issue via Microsoft’s MSRC.
- 30 March: Microsoft acknowledges the issue.
- 3 April: Microsoft confirms the issue.
- 27 April: Tenable requests an update on progress.
- 6 July: Microsoft informs Tenable the issue is fixed.
- 10 July: Tenable researchers find the fix is incomplete and inform Microsoft of this.
- 11 July: Tenable opens a second case with MSRC to track the unfixed issue.
- 11 July: Microsoft requests a delay to public disclosure.
- 14 July: Tenable informs Microsoft it plans to publish an advisory on 31 July.
- 20 July: Microsoft requests more information about what information will be shared in the advisory.
- 21 July: Tenable informs Microsoft it plans a limited advisory with no technical details or proofs of concept included.
- 21 July: Microsoft acknowledges this but informs Tenable that there will not be a fix before 28 September.
- 25 July: Tenable confirms no technical details, etc, will be published prior to 28 September.
- 31 July: Tenable releases its limited advisory on schedule.
Yoran said the so-called shared responsibility model of cyber security espoused by public cloud providers, including Microsoft, was irretrievably broken if a provider fails to notify users of issues as they arise and apply fixes openly.
He argued that Microsoft was quick to ask for its users’ trust and confidence, but in return they get “very little transparency and a culture of toxic obfuscation”.
“How can a CISO, board of directors or executive team believe that Microsoft will do the right thing given the fact patterns and current behaviours? Microsoft’s track record puts us all at risk. And it’s even worse than we thought,” said Yoran.
“Microsoft’s lack of transparency applies to breaches, irresponsible security practices and to vulnerabilities, all of which expose their customers to risks they are deliberately kept in the dark about,” he added.
A Microsoft spokesperson said: “We appreciate the collaboration with the security community to responsibly disclose product issues. We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications.
Amit Yoran, Tenable
“Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximised customer protection with minimised customer disruption,” they said.
Computer Weekly understands that the initial fix issued by Microsoft did mitigate the impact of the vulnerability for the vast majority of Azure users, and that the issue has since been fully addressed for all customers who should need to take no further action.
Questions to be answered
Yoran’s diatribe comes as Microsoft faces pressure in the US over its 13 July disclosure that an advanced persistent threat (APT) actor, tracked as Storm-0558 and backed by the Chinese government, had hacked into email accounts at multiple US government agencies using forged authentication tokens via an acquired Microsoft account consumer signing key.
Among those understood to have had their email accounts compromised were Gina Raimondo, the US secretary of commerce, and Nicholas Burns, the US ambassador to China.
At the time, Microsoft took the unusual step of issuing something of a mea culpa, as executive vice-president of security Charlie Bell put it, “the accountability starts right here at Microsoft”.
The attack has understandably not gone over well in Washington DC, and later in July, a group of cross-party US senators, including Tim Kaine, who was Hilary Clinton’s running mate in the hacking-affected 2016 presidential election, wrote to US state department CIO Kelly Fletcher to demand more information on the circumstances surrounding it and establish what actually happened.
Separately, Oregon senator Ron Wyden has written to attorney general Merrick Garland, Federal Trade Commission (FTC) chair Lina Khan, and CISA director Jen Easterly to request the government “take action to hold Microsoft responsible for its negligent security practices, which enabled a successful Chinese espionage campaign against the United States government”.
Read more about security at Microsoft
- A newly uncovered Chinese espionage campaign exploited forged authentication tokens to access its victims’ email accounts, says Microsoft.
- New Microsoft service, Security Copilot, will supposedly expand the reach, speed and effectiveness of cyber teams.
- One year after Microsoft started blocking VBA and XL4 macros by default, the cyber criminal ecosystem has all but stopped exploiting macros in their attacks.