Microsoft fixes Azure flaw that was subject of researcher criticism

Microsoft has publicly confirmed that a potentially dangerous flaw in the Azure public cloud platform – which was the subject of a full and frank attack on the firm’s vulnerability reporting and disclosure processes by Tenable CEO Amit Yoran last week – has been fully addressed for all affected users.

Microsoft had already told Computer Weekly that a fix had been issued and that no further action was necessary. However, since then, it has issued a wider statement on the matter.

In this statement, Microsoft said that all affected customers were notified about the issue via the Microsoft 365 Admin Centre beginning on Thursday 4 August 2023. This was sent using a Data Privacy tag meaning only users with global admin role or a Message Centre privacy reader role can view it. Customers that did not receive any notification can safely assume they need do nothing further.

Full technical details of the flaw have still not been released, pending a full disclosure which at the time of writing, remains scheduled for late September. The bug exists within Power Platform Custom Connectors using Custom Code, a feature that allows users to write their own code for custom connectors.

“The vulnerability could lead to unauthorised access to Custom Code functions used for Power Platform custom connectors. The potential impact could be unintended information disclosure if secrets or other sensitive information were embedded in the Custom Code function,” wrote the Microsoft Security Response Centre (MSRC) team. 

“Our investigation into the report identified anomalous access only by the security researcher that reported the incident, and no other actors,” they added.

Tenable had initially reported the flaw to Microsoft at the end of March, and Yoran’s outspoken remarks – initially made in a post to social media platform LinkedIn – came after the organisation grew increasingly frustrated at the length of time it was taking to issue a fix and disclose the vulnerability.

Yoran said this lengthy process – now over 120 days – was putting Tenable’s customers at risk. Not only that, he added, but they had “no idea” they were at risk and could not make an informed decision about compensating controls or other mitigations.

“Microsoft claims that they will fix the issue by the end of September, four months after we notified them. That’s grossly irresponsible, if not blatantly negligent. We know about the issue, Microsoft knows about the issue, and hopefully threat actors don’t,” he said.

The MSRC said that the initial fix, which went live on 7 June, had mitigated the issue for the majority of customers, but subsequent investigation had uncovered that a small subset of Custom Code in a soft deleted state – which exists to enable quick recovery should someone accidentally hit the backspace key – was still affected. Work to address this issue was completed by Wednesday 2 August.

“As part of preparing security fixes, we follow an extensive process involving thorough investigation, update development, and compatibility testing. Ultimately, developing a security update is a delicate balance between speed and safety of applying the fix and quality of the fix,” said Microsoft.

“Moving too quickly could result in more customer disruption, in terms of availability, than the risk customers bear from an embargoed security vulnerability. The purpose of an embargo period is to provide time for a quality fix. Not all fixes are equal. Some can be completed and safely applied very quickly, others can take longer.

“In order to protect our customers from an exploit of an embargoed security vulnerability, we also start to monitor any reported security vulnerability of active exploitation and move swiftly if we see any active exploit,” it said.

The MSRC team reiterated that Microsoft “appreciates” being part of an ecosystem focused on protecting customers, and the work that the security community puts in to help research and disclose vulnerabilities.

Responding to the MSRC statement, Tenable’s Amit Yoran said: “ It now appears that it was either fixed [last week] or we were blocked from testing. We don’t know the fix, or mitigation, so hard to say if it’s truly fixed or if Microsoft had put a control in place like a firewall rule or ACL to block us.

“When we find vulns in other products, vendors usually inform us of the fix so we can validate it effectively. With Microsoft Azure that doesn’t happen, so it’s a black box, which is also part of the problem. The ‘just trust us’ lacks credibility with the current track record,” he added.