Tenable CEO accuses Microsoft of negligence in addressing security flaw

Veteran cybersecurity executive Amit Yoran accused Microsoft on Wednesday of dragging its feet on fixing a critical vulnerability affecting its Azure platform and said the tech giant’s slow response illustrates a negligent approach to security.

His harsh public critique of Microsoft — a relatively rare event for a high-profile corporate figure in cybersecurity — follows criticism from lawmakers and researchers alike after a recent cyberattack affecting U.S. government officials resulted from a Microsoft security lapse.

As the CEO of Tenable, a firm that helps companies understand and mitigate their cybersecurity vulnerabilities, Yoran said he works with hundreds of companies every year to disclose and patch vulnerabilities. Microsoft, he said, consistently fails to proactively and professionally address vulnerabilities in their products.

“In Microsoft’s case you have a culture which denies the criticality of vulnerabilities,” Yoran told CyberScoop in an interview.  

The former national cybersecurity director at the Department of Homeland Security, Yoran detailed his concerns with Microsoft’s approach to addressing vulnerabilities in a blog post published Wednesday after researchers at his company identified a critical vulnerability in a Microsoft Azure product, informed Microsoft of the flaw and then waited in vain for the technology to address the issue.

The flaw allowed Tenable’s research to, among other things, access a bank’s authentication secrets, but four months after it was disclosed to Microsoft, the vulnerability still hasn’t been properly patched, Yoran said.

According to a timeline in a limited blog published to Tenable’s website, Microsoft acknowledged the issue the same day it was disclosed on March 30, and confirmed it four days later. Tenable asked for an update June 27 and was told on July 6 that it was fixed, but Tenable says it was merely a partial fix. On July 21, Microsoft told Tenable that it would take until Sept. 28 for a complete fix. Tenable agreed to withhold technical details and proofs-of-concept until Sept. 28.

In his blog post, Yoran described Microsoft’s approach to addressing the issue as “grossly irresponsible, if not blatantly negligent.” More than 120 days since the vulnerability was reported, the bank in question remains vulnerable, Yoran wrote, adding that many vulnerable organizations “still have no idea they are at risk and therefore can’t make an informed decision about compensating controls and other risk mitigating actions.”

A spokesperson for Microsoft said that the company appreciates “the collaboration with the security community to responsibly disclose product issues” and that security updates are ultimately “a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption.”

The company said Friday in a blog post that the issue has “been fully addressed for all customers,” no customer remediation action is required and that all affected customers were notified via starting Friday. Microsoft said its investigation “identified anomalous access only by the security researcher that reported the incident, and no other actors.”

Yoran’s broadside against Microsoft come amid growing scrutiny of Microsoft in Washington after one of the company’s products was abused by hackers based in China to steal the email messages of senior U.S. officials. In that incident, hackers based in China were able to steal an encryption key that they could then use to forge authentication tokens, and security researchers have sharply criticized the company for not only allowing an encryption key to be stolen but for building a computing architecture in which tokens could be forged in this way at all.

The incident spurred Sen. Ron Wyden, D-Ore., to call Microsoft “negligent” in its security practices and request that the Justice Department investigate whether Microsoft’s actions in the incident broke the law.

While Microsoft has insisted that the Chinese operation was highly targeted, research by the cloud security company Wiz suggests the incident may have been more broad than first understood — a claim Microsoft has dismissed as speculative.

The vulnerability discovered by Tenable allowed “an unauthenticated attacker to access cross-tenant applications and sensitive data, such as authentication secrets,” according to Yoran’s blog post. It appears that vulnerability does not exploit the same types of authentication flaws seen in the recent incident involving Chinese hackers, but may add pressure on Microsoft to improve its security practices.

Industry professionals and government officials pointed out that the Chinese operation was only detected because a government agency was paying additional money for more sensitive logging capabilities. Microsoft later reversed that policy and expanded logging visibility and retention for certain customers.

Yoran, who has grown increasingly critical of Microsoft in recent years, told CyberScoop that the company’s dominant position in the technology ecosystem makes many computer security researchers hesitant to speak up about its security practices but that doing so is especially important given the ubiquity of its products.

“Microsoft is a pretty strategic problem in the security space given their pervasiveness of their software, of their infrastructure,” Yoran said. “I also think they have to be part of the solution.”

Updated, Aug. 3, 2023: This article has been updated with a statement from a Microsoft spokesperson.
Updated, Aug. 4, 2023: This article has been updated to include a statement from Microsoft that the vulnerability in question has been fixed.