Microsoft Fixes Azure Flaw in the Wake of Withering Criticism

Microsoft announced that it has fixed a flaw in its Azure family of cloud services after security researchers criticized it for moving too slowly. To its credit, Microsoft owned up to the fact that this researcher had told them about the bug months ago, and the story it tells confirms the complaint.

“On March 30, 2023, Tenable informed Microsoft under Coordinated Vulnerability Disclosure (CVD) of a security issue concerning Power Platform Custom Connectors using Custom Code,” the Microsoft Security Response Team writes in its disclosure post. “This issue has [now] been fully addressed for all customers and no customer remediation action is required. All impacted customers have been notified of … anomalous access, only by the security researcher that reported the incident, and no other actors … through the Microsoft 365 Admin Center.”

Long story short, when properly apprised of the vulnerability by a Tenable security researcher, Microsoft did nothing until early June, over two months later, when (in Microsoft’s words) it issued an “initial fix” to “mitigate this issue for a majority of customers.” But in July, Tenable discovered that the flaw was still present, albeit it (again, in Microsoft’s words) for “a very small subset” of the previously impacted code.

“Microsoft engineering [then] took steps to ensure and validate complete mitigation for any potentially remaining customers using Custom Code functions,” the MSRT explains. “This work was completed on August 2, 2023.” There’s a lot more explanation in the MSRT post if you want Microsoft’s responsible-sounding version of the story. But that’s not exactly how Tenable chairman and CEO Amit Yoran sees these events.

“Microsoft’s lack of transparency applies to breaches, irresponsible security practices and to vulnerabilities, all of which expose their customers to risks they are deliberately kept in the dark about,” Mr. Yoran complained on LinkedIn, earlier on August 2. He says that the flaw his team found let them “very quickly discover authentication secrets to a bank.” And so they informed Microsoft, which then “took more than 90 days to implement a partial fix – and only for new applications loaded in the service.”

“The bank I referenced above is still vulnerable, more than 120 days since we reported the issue, as are all of the other organizations that had launched the service prior to the fix,” he continues. “Microsoft claims that they will fix the issue by the end of September, four months after we notified them. That’s grossly irresponsible, if not blatantly negligent. We know about the issue, Microsoft knows about the issue, and hopefully threat actors don’t.”

This was, of course, written before the MSRT post and arrival of the quickly released fix, which apparently would have sat unused for two more months, inside Microsoft, had Yoran not spoken out publicly. “Microsoft’s track record puts us all at risk,” he concludes. “And it’s even worse than we thought.”

“Microsoft appreciates the security community’s research and disclosure of vulnerabilities,” the MSRT post answers in its own conclusion. “Responsible research and mitigation are critical for safeguarding our customers and this comes with a shared responsibility to be factual, understand processes, and work together. Any deviation from this process puts customers and our communities at undue security risk. As always, Microsoft’s top priority is to protect and be transparent with our customers and we remain steadfast in our mission.”