Poor, too slow, too little transparent: criticisms of Microsoft’s update behavior

In a Linkedin post, CEO of IT security provider Tenable, Amit Yoran, complains about Microsoft’s handling of security gaps. The company exposes customers to unnecessary risks: the lack of transparency in cyber security poses a danger to us all. A picture of failed updates, misjudging the severity of security gaps, and sometimes even lack of communication about (closed) vulnerabilities is emerging.

Yoran explains the problem using a specific case. Tenable’s IT security researchers discovered security gaps in Microsoft’s Azure Synapse, a big data analytics service, in March. Including one you classify as a critic. Microsoft quietly addressed one of the gaps after an evaluation and downplayed the potential risk.

Only after Tenable informed Microsoft that they were posting details about the vulnerability, something changed: Microsoft privately confirmed the severity of the vulnerability 89 days after the notification. However, Microsoft customers have not yet received any information on this.

The problem here is that this lack of transparency on the part of an IT infrastructure or cloud service provider exponentially increases the risk, Yoran continues. Without timely and detailed information, customers would have no idea if they were or still are vulnerable to attack. Or if they’ve already been the victims of an attack on a sealed security hole. If customers did not receive a vulnerability notification, they would not have the ability to search for evidence that they may or may not have been compromised, a highly irresponsible policy, Yoran adds.

Not only Tenable, but other IT security companies such as Wiz, Positive Security, and Fortinet have also described similar examples. OrcaSecurity can also contribute to that experience. The company’s IT researchers also discovered a vulnerability in Azure Synapse that attackers could use to easily obtain logins if they knew the name of a workspace, among other things. This would allow for further access and control of the workspace. They could also have run their own code on the customer’s computers in the Azure Synapse Analysis Service.

The history of reporting and eliminating the vulnerability fits neatly into the picture. In summary, OrcaSecurity writes: Over 100 days for final error correction. Three patches, the first two could be outdated. The certificate for the internal monitoring server was withdrawn and invalidated only after 96 days. On the bright side, however, it should be noted here that both Microsoft and OrcaSecurity have posted background and details about the vulnerabilities on their blogs after 100 days. However, there is no indication that Azure customers are receiving an active notification.


To the home page

About the author


Leave a Comment