Debate rages over Microsoft vulnerability practices after Follina, Azure issues

Microsoft finally released a patch for the much-discussed Follina vulnerability — CVE-2022-30190 — amid fixes for 55 other issues on Tuesday. But the tech giant’s initial response to the issue, and several others, stirred debate among security experts who question Microsoft’s recent handling of vulnerabilities. 

Microsoft initially claimed Follina “wasn’t a security issue” after being sent evidence by the head of advanced persistent threat (APT) hunting organization Shadow Chaser Group. They eventually acknowledged the issue, but several security experts have aired concerns about Microsoft’s responses to a number of vulnerability reports.

On Monday, Amit Yoran, the CEO of cybersecurity firm Tenable, released a lengthy blog post criticizing Microsoft for its recent response to two disclosed vulnerabilities affecting the Azure Synapse service. 

“After evaluating the situation, Microsoft decided to silently patch one of the problems, downplaying the risk. It was only after being told that we were going to go public, that their story changed…89 days after the initial vulnerability notification…when they privately acknowledged the severity of the security issue,” Yoran said.  

“To date, Microsoft customers have not been notified. This is a repeated pattern of behavior. Several security companies have written about their vulnerability notification interactions with Microsoft, and Microsoft’s dismissive attitude about the risk that vulnerabilities present to their customers.”

Yoran went on to say that Microsoft’s frequent reticence to notify customers of issues was “a grossly irresponsible policy.” 

In response to questions about Yoran's comments, Microsoft told The Record that it only assigns CVEs to issues that require customers to take action.

"We addressed the issues that Tenable reported to us and no customer action is required,” a spokesperson said.  

Aaron Turner, CTO at security company Vectra, said he understood both sides of the debate as a longtime former Microsoft security team member. Microsoft wants to have the freedom to manage their cloud services the way they see fit, Turner said. 

“I was at Microsoft in the worst of times, from 1999 through 2006 when the company had to go from some of the worst security update management policies to eventually leading the industry in predictability, transparency and one of the best supporters of responsible disclosure,” he said.

Turner explained that he knows and respects Yoran personally but did not think the blog post was constructive. The rules around responsible disclosure do need to be updated, according to Turner, but he noted that both sides “have room for improvement.”

Turner said there needs to be clearer rules around research into core PaaS and IaaS technologies as well as easier ways for cloud platform operators to provide testing capabilities to researchers and clear responses to responsibly-disclosed vulnerability information. 

“Over the last three decades of my career, I've had to stand in the shoes of all participants in this debate. I worked for the US government researching system vulnerabilities for two years. I'm working for a security technology provider now,” he told The Record. 

“What are the rules for attribution when PaaS and IaaS vulnerabilities are remediated? These are complex topics and don't have simple answers.”

Microsoft security issues affecting US government

Several other researchers were less forgiving of Microsoft, pointing out that more than 33% of the vulnerabilities added to the Cybersecurity and Infrastructure Security Agency’s list of known exploited bugs came solely from Microsoft. 

Microsoft had the most vulnerabilities added to the list in every month this year. The company provides about 85% of U.S Government productivity and collaboration software.

Andrew Grotto, former White House Director for Cybersecurity Policy, argued that Microsoft’s market dominance was part of the problem.

“The data speaks to an outsized representation of Microsoft products having the most critical vulnerabilities. On some level, it may reflect the sheer prevalence of Microsoft products, but it's not like there aren't other vendors whose products are constantly poked and prodded and tested,” explained Grotto, now a cybersecurity professor at Stanford University.

No other vendor “appears with the same frequency and level of severity in terms of vulnerabilities that Microsoft’s products seem to” according to Grotto

“Does the market force Microsoft to remedy this problem or not? What worries me is, right now, there is not a ton of competition, so I’m a bit pessimistic about this trend changing,” he said.   

Steven Weber, professor of the Graduate School of Information at UC Berkeley, said procurement is the best way to drive positive changes in security practices. 

Government procurement practices right now are making the government less secure but also hurting the private markets as well, Weber explained, because it is not creating greater demand for better security.  

“It’s important to keep in context that the widespread market penetration of a company’s products is no explanation for why its products are the most vulnerable. That would be like saying ‘lots of people like sugary drinks, and that’s why we keep finding out that sugary drinks are bad for you,’” Weber said. 

“What we ought to be asking is, given that we know and are shown again and again that the products are highly vulnerable, why do they remain so prevalent in the market?”