“Extremely irresponsible” is how Amit Yoran, CEO of the security company Tenable, describes Microsoft’s behavior when it comes to security. The background is that his company found and reported a critical vulnerability in the Microsoft Azure Cloud more than three months ago. It was only after Tenable spoke publicly about this problem that Microsoft closed it almost overnight in a hasty action.
In his LinkedIn posting “Microsoft…The Truth Is Even Worse Than You Think”, Yoran really pulled off the leather and also made a connection with the events surrounding the recently stolen master key:
‘Microsoft’s lack of visibility into intrusions, irresponsible security practices and vulnerabilities that expose all of their customers to risks they are intentionally left in the dark about.
What you hear from Microsoft is “just trust us,” but what you get back is very little transparency and a toxic culture of obfuscation. Given this pattern of behavior, how can a CISO, board of directors, or executive team believe that Microsoft will do the right thing?’
Password theft possible
The new vulnerability gave attackers access to cloud credentials such as tokens or passwords under certain conditions. A first update from Microsoft did not completely eliminate the problem. The cloud company then announced a fix for September 28, which prompted Tenable to make the problem public, but without giving any details about the vulnerability.
A short time later Microsoft reported completion; ITwire quoted a Microsoft press spokesman as quoting the gap for most of the affected customers who were already closed in June and now all customers are protected. Further customer actions are not required. I guess that’s what Yoran meant when he said, “Just trust us.” Tenable has since published a more detailed description of the vulnerability: Unauthorized Access to Cross-Tenant Applications in Microsoft Power Platform.
Update 08/04/2023 11:27 am
The vulnerability is not in Azure Active Directory (AAD), but consists of unauthorized access to the Azure API. Among other things, OAuth client IDs and secrets, which are typically located in the AAD, could also be tapped via this. We have removed incorrect or misleading references to the Azure Active Directory.
#Microsoft #Cloud #critical #vulnerability #sharp #criticism #Microsoft