Tenable CEO Slams Microsoft for Failing to Quickly Patch BugAmit Yoran Says Microsoft Left Critical Azure Vulnerability Unpatched for 4 Months
Tenable CEO Amit Yoran once again accused Microsoft of irresponsible security practices, this time for letting a critical Azure vulnerability remain unpatched for four months.
The Baltimore-area exposure management vendor said researcher Evan Grant warned Microsoft on March 30 about a flaw in an Azure service that would allow an unauthenticated attacker to access cross-tenant applications and sensitive data such as application secrets. Even though Tenable researchers discovered authentication secrets for a bank, Yoran said Microsoft doesn't intend to fully fix the issue until Sept. 28.
"That's grossly irresponsible, if not blatantly negligent. We know about the issue, Microsoft knows about the issue, and hopefully threat actors don't," Yoran wrote in a LinkedIn post Wednesday. "What you hear from Microsoft is 'just trust us,' but what you get back is very little transparency and a culture of toxic obfuscation."
A Microsoft spokesperson told Information Security Media Group Thursday that the company's initial fix in June mitigated the issue for the majority of customers and that the issue has now been fully addressed for all customers without any customer action required. Google Project Zero found that Microsoft products accounted for 42.5% of all zero-day vulnerabilities discovered since 2014, according to Yoran (see: Tenable CEO on Using AI to Spot Exploitable Vulnerabilities).
"Developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption," the Microsoft spokesperson said. "We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications."
Yoran's broadside against Microsoft comes six days after Sen. Ron Wyden, D-Ore., wrote a letter to CISA Director Jen Easterly, Attorney General Merrick Garland and FTC Chair Lina Khan urging them to hold Microsoft responsible for "negligent cybersecurity practices." Wyden said Microsoft's negligence enabled successful Chinese espionage involving hundreds of thousands of U.S. government emails.
"This is not the first espionage operation in which a foreign government hacked the emails of United States government agencies by stealing encryption keys and forging Microsoft credentials," Wyden wrote July 27 in a four-page letter. "Holding Microsoft responsible for its negligence will require a whole-of-government effort."
Yoran: Customers Kept in Dark About Microsoft Risks
In the Tenable situation, Yoran said, Microsoft took more than three months to implement a partial fix that only applied to new applications loaded in the service. According to Tenable's disclosure timeline, Microsoft confirmed the issue April 3 but didn't issue a fix until July 6 - nine days after Tenable had requested an update. But Tenable said the fix was incomplete, forcing it to open a new case July 11.
On July 21, Microsoft informed Tenable that the vulnerability won't be fully fixed until Sept. 28. Of more concern to Microsoft was public disclosure. When Tenable said it would publish an advisory July 31, Microsoft asked what information would be shared. Tenable said it told Microsoft it would withhold technical details and proofs of concept until Sept. 28.
"Microsoft's lack of transparency applies to breaches, irresponsible security practices and to vulnerabilities, all of which exposure their customers to risks they are deliberately kept in the dark about," Yoran wrote in Wednesday's LinkedIn post. "How can a CISO, board of directors or executive team believe that Microsoft will do the right thing given the fact patterns and current behaviors?"
Microsoft last month gave clients access to greater cloud logging capabilities at no additional cost days after lower-level customers had been unable to detect a Chinese cyberattack. The company's capitulation came less than a week after critical logging information needed to detect a technically sophisticated Chinese espionage campaign had been available only to purchasers of Microsoft's top-tier cloud service.
"Offering insecure products and then charging people for premium features necessary to not get hacked is like selling a car and then charging extra for seat belts and air bags," Wyden told The Wall Street Journal last month.
'A Reluctance to Be Transparent'
Yoran has been a frequent critic of Microsoft's security practices, telling Information Security Media Group last month that Active Directory and Azure Active Directory are "a complete train wreck from a security perspective." He said Microsoft has avoided making massive updates and improvements to Active Directory since the firm plans to retire the product at some point and force customers to migrate to Azure Active Directory.
When it comes to Azure Active Directory - which is being rebranded as Microsoft Entra ID, Yoran said Microsoft lifted and shifted big chunks of legacy code into the cloud, creating backward-compatibility issues. And while organizations typically safeguard on-premises Active Directory themselves with firewalls, logging systems and forensic tools, customers aren't afforded the same visibility around Azure Active Directory.
"Not only do you have all the exposures of Active Directory, you're now dealing with having to trust that the technology provider themselves hasn't been breached and hasn't had problems," Yoran told ISMG last month. "And we've seen time and again a reluctance to be transparent about breaches at Microsoft."
Tenable and Microsoft each sell security products but they are not direct competitors. Tenable's bread and butter is vulnerability management. It leads the space with 27.5% market share and competes most intensely against Qualys and Rapid7, IDC found. Microsoft doesn't even rank in the top 10 for market share when it comes to vulnerability management, IDC said - despite its status as the world's largest cybersecurity vendor with $20 billion of sales in 2022 and tools spanning identity, security, compliance, device management and privacy.
The company hit the $20 billion revenue milestone just 12 months after reaching $15 billion in security revenue and two years after revealing $10 million in annual security sales, Microsoft revealed in January (see: Microsoft Security Sales Hit $20B as Consolidation Increases).
"We're taking share across all major categories we serve," Chairman and CEO Satya Nadella told investors in January. "Customers are consolidating on our security stack in order to reduce risk, complexity and cost."
Updated Aug. 3 with comments from a Microsoft spokesperson