Expert voices pile up on Microsoft’s “negligent” security management


Software giant Microsoft takes far too long to patch discovered security flaws and leaves customers unprotected and uninformed. The latest public criticism comes from Amit Yoran, CEO of security company Tenable.

Microsoft, recently under pressure after Chinese hackers entered US government email accounts, has received renewed criticism.

CEO Yoran added fuel to the fire, claiming that his company discovered a serious issue with the Azure platform in March 2023 and it took more than 90 days for Microsoft to implement a fix. Even then, the fix was partial. The discovered vulnerability would enable an unauthenticated attacker to access cross-tenant applications and sensitive data such as authentication secrets.

ADVERTISEMENT

“To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank,” Yoran writes in a LinkedIn post.

He slams Microsoft’s lack of transparency applied to breaches, irresponsible security practices, and vulnerabilities, exposing their customers to risks “they are deliberately kept in the dark about.”

“The truth is even worse than you think,” he claims, as the bank he referred to is still vulnerable today, more than 120 days since the concerned team first reported the issue. That leaves customers uninformed and unable to make informed decisions for risk mitigation.

“Microsoft claims that they will fix the issue by the end of September, four months after we notified them. That’s grossly irresponsible, if not blatantly negligent. We know about the issue, Microsoft knows about the issue, and hopefully, threat actors don’t,” Yoran writes, quoting data from Google Project Zero on Microsoft products accounting for an aggregate of 42.5% of all zero-days discovered since 2014.

This post led to cascade of reactions supporting the claims.

George Kurtz, CEO & Founder of the security technology company CrowdStrike “couldn’t agree more” that Microsoft puts customers at risk and puts the blame on the victim when the problem with “broken architecture” arises.

“There is way more to this story than we are hearing,” Kurtz added.

ADVERTISEMENT

At the same time, a few security firms disclosed reports about new attack vectors that could be leveraged against Azure.

Vectra Research identified a new attack vector against Azure Active Directory that enables lateral movement to other Microsoft tenants.

And Sygnia revealed new attack vectors in the Azure AD Connect, focusing on the Password Hash Sync mechanism. These vectors allow attackers to intercept connector credentials via man-in-the-middle attacks or inject malicious code.

A week before, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Justice, and the Federal Trade Commission (FTC) received a letter from Senator Ron Wyden asking them to hold Microsoft accountable for a repeated pattern of negligent cybersecurity practices, which enabled Chinese espionage against the United States government.

The Senator demanded Microsoft’s responsibility for the compromise of hundreds of thousands of governmental emails and email accounts, including from the Secretary of Commerce, the US Ambassador to China, and the Assistant Secretary of State for East Asia.

In a letter, he noticed that similar attacks happened before – for example, the 2020 SolarWinds hacking campaign used a similar technique. However, Microsoft never took responsibility for its role and “blamed federal agencies for not pushing it to prioritize defending against the encryption key theft technique used by Russia, which Microsoft had known about since 2017.”

Microsoft officials commented to Ars Technica that the company follows an extensive process involving a thorough investigation.

“Developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption,” it said.

ADVERTISEMENT