‘Critical’ Azure Vulnerability Is Another Microsoft Security Debacle: Tenable CEO
‘They just do not have a great passion for [reducing] the risk that their customers incur when using the Microsoft Azure cloud platform,’ Tenable CEO Amit Yoran told CRN.
A newly revealed vulnerability in Microsoft’s Azure cloud platform carries a “critical” severity rating, according to researchers from Tenable — prompting the cybersecurity vendor’s CEO to renew his sharp criticisms of how Microsoft handles security issues in its platforms.
“Microsoft wants everybody to trust them, but they have a great lack of transparency and a track record of irresponsibility when it comes to disclosing vulnerabilities and breaches,” Tenable CEO Amit Yoran said in an interview with CRN.
[Related: Four New Microsoft Azure Vulnerabilities Found By Orca Security]
Tenable researchers have recently had first-hand experience with how Microsoft responds when it’s informed about a serious security issue, Yoran said.
“Microsoft will downplay, fail to disclose, not prioritize remediating,” he said. “They just do not have a great passion for [reducing] the risk that their customers incur when using the Microsoft Azure cloud platform.”
The newly revealed Azure vulnerability is a “critical” risk to customers because it can enable unauthorized access to data and applications belonging to other customers, in what’s known as a “cross-tenant” security issue, according to a Tenable post.
The vulnerability was discovered by Tenable researchers and reported to Microsoft on March 30, but the issue was not fixed until July 6, according to Tenable’s timeline. However, on July 10, Tenable says it told Microsoft that the fix was actually “incomplete.”
Microsoft is now saying its fix will not be available until Sept. 28, and Tenable agreed to withhold specific technical information about the vulnerability until that day, according to the Tenable post.
“Microsoft claims that they will fix the issue by the end of September, four months after we notified them,” Yoran said in a LinkedIn post Wednesday. “That’s grossly irresponsible, if not blatantly negligent.”
In response to the Tenable vulnerability disclosure and Yoran’s comments, Microsoft provided a statement that did not address the specific situation but instead offered a general explanation of the “extensive process” the company follows when a vulnerability is disclosed.
The process includes “thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications,” Microsoft said. “Developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption.”
In the statement, Microsoft also said that “we appreciate the collaboration with the security community to responsibly disclose product issues.”
‘Pattern Of Behavior’
In the interview with CRN, Yoran noted this isn’t the first time researchers have had this experience in attempting to work with Microsoft to address serious security issues in Azure and other platforms. Researchers from Orca Security, for instance, reported a similarly unenthusiastic reception from Microsoft after reporting a critical vulnerability in the Azure Synapse analytics service in 2022.
“There’s a continued pattern of behavior [from Microsoft], which I believe undermines security,” Yoran told CRN. “It includes contesting or pushing back on researchers as they disclose vulnerabilities, downplaying the criticality of a vulnerability when the impact could be quite significant to Microsoft customers, and not moving with a sense of urgency to patch and fix and close issues which are discovered — as well as not disclosing the issues to their customers.”
Recent Cloud Breach
The disclosure by Tenable also comes weeks after the discovery of a breach impacting Microsoft cloud email customers, which has included multiple U.S. government agencies among its victims. While Microsoft has said the impacts of the breach were restricted to customers using Outlook Web Access and Outlook.com, researchers from cloud security firm Wiz have said the potential impact may have been much larger.
Wiz researchers said they determined that the compromise could have impacted “every application that supports personal account authentication,” including SharePoint, Teams and OneDrive. In response to the Wiz findings, Microsoft said that it has “not observed those outcomes in the wild.”
Last week, U.S. Sen. Ron Wyden requested a federal investigation to determine “whether lax security practices by Microsoft enabled” the China-attributed hack.