Microsoft Resolves Vulnerability Following Criticism from Tenable CEO
2 min readMicrosoft has successfully addressed a vulnerability that allowed unauthorized access to information managed by Azure AD, a cloud service used by large companies for user authentication. The issue gained public attention when Amit Yoran, CEO of cybersecurity firm Tenable, criticized Microsoft’s handling of the vulnerability in a scathing LinkedIn post.
The vulnerability was discovered by a researcher at Tenable on March 30, and it enabled limited unauthorized access to cross-tenant applications and sensitive data, including authentication secrets. Tenable promptly reported the issue to Microsoft, who confirmed it on April 3.
In his post, Yoran expressed concern about the severity of the vulnerability, revealing that his team quickly discovered authentication secrets to a bank. He emphasized the ethical responsibility to notify Microsoft immediately. However, Microsoft took months to respond and claimed to have fixed the issue on July 6. Tenable later discovered that the fix was incomplete and exploitable.
Microsoft requested Tenable to delay publishing any details about the vulnerability, leading to weeks of back-and-forth communication. Eventually, Microsoft stated that a fix would be released on September 28. Yoran criticized Microsoft for the delay, highlighting that the bank they tested the vulnerability on remained vulnerable more than 120 days after reporting it.
Microsoft responded to the controversy by releasing a fix for the issue within a day of Yoran’s blog post. They argued that the initial fix in June had mitigated the issue for the majority of customers. Microsoft confirmed that the vulnerability could lead to unintended information disclosure of secrets or other sensitive information. They assured customers that the only person to exploit the vulnerability was the Tenable researcher, and affected customers were contacted.
Yoran expressed uncertainty about whether the issue was genuinely fixed or if Tenable was blocked from further testing. He criticized Microsoft’s lack of transparency and their track record with breaches and vulnerabilities. Microsoft has faced criticism for security lapses, including a recent hack allegedly by Chinese government hackers targeting email accounts used by top government officials.
Despite the controversy, Microsoft maintains that they follow an extensive process to address product issues and balance timeliness with quality. They believe rushing out a fix could cause more customer disruption than the risk posed by the vulnerability.
It is crucial for cloud vendors like Microsoft to provide timely notifications and openly apply fixes to maintain trust and security in the shared responsibility model.