In a post on Linkedin, the CEO of IT security service provider Tenable, Amit Yoran, complains about Microsoft’s handling of security gaps. The company exposes customers to unnecessary risks: A lack of transparency in cyber security means a danger for all of us. A picture of botched updates, incorrect assessment of the severity of security gaps and sometimes even a lack of communication about (closed) vulnerabilities is emerging.
Silently patched security leaks
Yoran explains the problem using a specific case. IT security researchers from Tenable discovered security gaps in Microsoft’s Azure Synapse, a big data data analysis service, in March. Including one that you classify as critical. Microsoft silently fixed one of the gaps after an evaluation and downplayed the potential risk.
Only after Tenable informed Microsoft that they were publishing details about the vulnerability did something change: Microsoft privately confirmed the severity of the vulnerability 89 days after notification. However, Microsoft customers have not yet received any notification.
The problem here is that this lack of transparency on the part of an IT infrastructure or cloud service provider increases the risk exponentially, Yoran continues. Without timely and detailed information, customers would have no idea if they were or still are vulnerable to attacks. Or whether they have already been the victim of an attack on a sealed security hole. If customers didn’t receive a vulnerability notification, they wouldn’t have a chance to look for evidence that they might or might not have been compromised — a highly irresponsible policy, Yoran adds.
Not an isolated case
Not only Tenable, but also other IT security companies such as Wiz, Positive Security and Fortinet described similar examples. OrcaSecurity can also contribute such an experience. The company’s IT researchers have also discovered a vulnerability in Azure Synapse that attackers could use to easily obtain access data if they knew the name of a workspace, among other things. This would enable further access and control of the workspace. They could also have run their own code on the customer’s machines in the Azure Synapse analytics service.
The chronology of the vulnerability reporting and elimination fits seamlessly into the picture. In summary, OrcaSecurity writes: Over 100 days for the final error correction. Three patches, the first two could be overcome. The certificate for the internal control server was only withdrawn and invalidated after 96 days. On the positive side, however, it should be noted here that both Microsoft and OrcaSecurity have published backgrounds and details on the vulnerabilities in their blogs after the 100 days. However, there is no indication that Azure customers are actively notified.
To home page
#Shoddy #slow #nontransparent #criticism #Microsofts #update #behavior