Microsoft resolves vulnerability following criticism from Tenable CEO
Microsoft has resolved a vulnerability that allows threat actors to gain access to information managed by Azure AD, a cloud offering used by large companies for managing user authentication.
Concerns about the issue burst into public view this week when Amit Yoran, the CEO of cybersecurity firm Tenable, published a scathing LinkedIn post bashing the tech giant for its handling of the vulnerability.
On March 30, a researcher at Tenable discovered an issue that enables “limited, unauthorized access to cross-tenant applications and sensitive data (including but not limited to authentication secrets).”
Tenable reported the vulnerability to Microsoft as soon as they discovered it and Microsoft confirmed the issue on April 3.
“To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank,” wrote Yoran, who previously served as National Cybersecurity Director at the Department of Homeland Security. “They were so concerned about the seriousness and the ethics of the issue that we immediately notified Microsoft.”
Microsoft waited months to get back to Tenable before claiming the issue was fixed on July 6. Tenable checked the fix and discovered that it was incomplete and was still exploitable.
Microsoft asked Tenable to delay publishing any details about the vulnerability, and the two companies went back and forth for weeks before Microsoft said it would take until September 28 for a fix to be released.
In his blog post, Yoran slammed Microsoft for not moving quicker to address the vulnerability and noted that without a fix, the bank that they originally tested the issue on was still vulnerable more than 120 days after it was reported.
“And, to the best of our knowledge, they still have no idea they are at risk and therefore can’t make an informed decision about compensating controls and other risk mitigating actions,” Yotan explained.
“Microsoft claims that they will fix the issue by the end of September, four months after we notified them. That’s grossly irresponsible, if not blatantly negligent. We know about the issue, Microsoft knows about the issue, and hopefully threat actors don’t.”
Tenable’s CEO went on to say the current “shared responsibility model” — where vendors and customers equally carry the burden for addressing security issues — is “irretrievably broken if your cloud vendor doesn’t notify you of issues as they arise and apply fixes openly.”
He said Microsoft urges customers to trust them but in return they get “very little transparency and a culture of toxic obfuscation.”
“How can a CISO, board of directors or executive team believe that Microsoft will do the right thing given the fact patterns and current behaviors?” he asked.
Yoran’s blog was published on Wednesday and by Thursday, Microsoft had released a fix for the issue. The company published its own blog post about the issue on Friday.
A Microsoft spokesperson argued that the initial fix published in June had “mitigated the issue for the majority of customers.”
“This issue has now been fully addressed for all customers and no customer action is required,” the spokesperson said.
When asked about the larger controversy over the issue, they said they appreciate the work of the security community to responsibly disclose product issues and noted that they follow an “extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications.”
“Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption,” they said.
In its blog post about the vulnerability, Microsoft confirmed that it could cause “unintended information disclosure [of] secrets or other sensitive information.”
According to their investigation, the only person to exploit the vulnerability was the security researcher from Tenable who discovered the issue, and the customers who had systems accessed by the researcher were contacted.
They argued that only a “very small subset” of users were still affected by the vulnerability after the June 7 fix was released.
“Microsoft engineering took steps to ensure and validate complete mitigation for any potentially remaining customers using Custom Code functions,” Microsoft explained, saying the mitigation was completed on Wednesday. Rushing out a fix, they wrote, may have caused “more customer disruption (in terms of availability) than the risk customers bear from an embargoed security vulnerability.”
Tenable’s Yoran told Recorded Future News that he is unsure if the issue was truly fixed or if Tenable was simply blocked from testing it further.
“We didn't know the fix, or mitigation, so it was hard to say if it was truly fixed, or if Microsoft had put a control in place like a firewall rule or ACL [access control list] to block us,” he said.
“When we find vulns in other products, vendors usually inform us of the fix so we can validate it effectively. With Microsoft Azure that doesn't happen, so it's a black box, which is also part of the problem. The ‘just trust us’ lacks credibility when you have the current track record."
A leading U.S. senator asked the Justice Department and several other agencies to investigate a recent hack, allegedly by Chinese government hackers, of Microsoft-provided email accounts used by top government officials.
The letter from Sen. Ron Wyden (D-OR) also excoriates Microsoft for its handling of the SolarWinds scandal.
In his blog post, Yoran noted that a recent report from Google Project Zero found that Microsoft products have accounted for an aggregate 42.5% of all zero days discovered since 2014.
“Microsoft’s lack of transparency applies to breaches, irresponsible security practices and to vulnerabilities, all of which expose their customers to risks they are deliberately kept in the dark about,” he said.
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.