The CEO of cybersecurity firm Tenable has taken to LinkedIn to closely criticize Microsoft on its practices on the subject of patching high-severity flaws and different harmful vulnerabilities.
In a submit printed on (considerably paradoxically) the Microsoft-owned platform, Amit Yoran stated Microsoft has a historical past of non-transparent habits as regards to breaches and vulnerabilities, “all of which expose their clients to dangers they’re intentionally stored at nighttime about”.
The CEO says that his firm found a excessive severity flaw within the Azure platform in March 2023, which may enable menace actors to shortly uncover authentication secrets and techniques. To emphasise the significance of the findings, Yoran stated that the analysts found secrets and techniques to a financial institution, and shortly after, they notified Microsoft of the problems.
Many corporations in danger
The Redmond software program large acknowledged the findings inside days, however took some three months to launch a patch which, based on Yoran, was partial and didn’t handle the problem absolutely. It solely labored for brand new functions loaded within the service.
“That signifies that as of at this time, the financial institution I referenced above continues to be weak, greater than 120 days since we reported the problem, as are the entire different organizations that had launched the service previous to the repair,” he says. “And, to the very best of our data, they nonetheless do not know they’re in danger and subsequently can’t make an knowledgeable choice about compensating controls and different danger mitigating actions.”
In response to Yoran, Microsoft promised a repair by the tip of September, which is “grossly irresponsible, if not blatantly negligent,” he added.
His writeup sparked fairly the controversy on LinkedIn, with nearly 100 completely different feedback and remarks. Most of the individuals who chimed in agree with Yoran’s remarks, with one cynically saying “so that you’re mainly saying that nothing has modified in 30 years?”.
Microsoft is but to touch upon these allegations.
Microsoft claims that they are going to repair the problem by the tip of September, 4 months after we notified them. That’s grossly irresponsible, if not blatantly negligent. We all know concerning the challenge, Microsoft is aware of concerning the challenge, and hopefully menace actors don’t.
Cloud suppliers have lengthy espoused the shared duty mannequin. That mannequin is irretrievably damaged in case your cloud vendor doesn’t notify you of points as they come up and apply fixes brazenly.
What you hear from Microsoft is “simply belief us,” however what you get again may be very little transparency and a tradition of poisonous obfuscation. How can a CISO, board of administrators or govt group consider that Microsoft will do the precise factor given the actual fact patterns and present behaviors? Microsoft’s observe file places us all in danger. And it’s even worse than we thought.
