Microsoft is once again being criticized for its handling of the security of its platforms. A security researcher accuses the company of a “culture of toxic concealment” that can only be described as “grossly irresponsible”.
The stumbling block is the fact that information from the security community is always dealt with relatively laxly. Patching vulnerabilities often takes much longer than necessary – and even when they do, it doesn’t always seem to be done with the seriousness it deserves, and the vulnerabilities are then only partially patched. At least that is the core of criticism from Amit Yoran, head of the security company Tenable.
This has now turned public on LinkedIn to those responsible at Microsoft. He describes a problem with a critical vulnerability in the Azure platform that his employees reported to the group. Microsoft implemented a patch for this on Monday, which only partially solved the problem.
However, there was definitely enough time for an in-depth investigation and the development of a solution, explained Yoran. After all, the information about the vulnerability was sent to Redmond back in March and Microsoft now had 16 weeks. In the meantime, Microsoft has also set a date for a final correction: September 28th.
It lasts longer than expected
“To give you an idea of how bad the problem is, our team got access to a bank’s authentication secrets very quickly,” Yoran said. The security researchers were so concerned about the severity of the problem that they contacted Microsoft immediately. However, some disillusionment followed after it took over 90 days for at least part to be fixed.
Tenable wants to keep details of the vulnerability under lock and key, as the security of various Microsoft cloud customers can be endangered via the vulnerability. “Once the details of this vulnerability are known, exploiting it is relatively trivial. For this reason, we are withholding all technical details,” it said in a statement.
This is not the only case either. The security company Sygnia also reported a problem in the Azure infrastructure that makes it possible to intercept credentials via man-in-the-middle attacks or to steal cryptographic hashes of passwords. And both cases have nothing to do with the recent break-ins in Microsoft’s cloud services.
“What you hear from Microsoft is ‘trust us,’ but what you get back is very little transparency and a culture of toxic obfuscation,” Yoran said. “How can a chief of security, a board of directors, or an executive team believe that Microsoft will do the right thing given the facts and current behavior? Microsoft’s track record puts us all at risk. And it’s even worse than we thought.”
Digital marketing enthusiast and industry professional in Digital technologies, Technology News, Mobile phones, software, gadgets with vast experience in the tech industry, I have a keen interest in technology, News breaking.