Cybersecurity Firm Blasts Microsoft for Slow, Incomplete Bug Patches
A cybersecurity firm is calling out Microsoft for allegedly taking too long to patch a serious vulnerability that has threatened the company’s enterprise customers for months.
“Microsoft claims that they will fix the issue by the end of September, four months after we notified them,” Amit Yoran, CEO of Tenable, wrote(Opens in a new window) in a Wednesday LinkedIn post.
According to Yoran, a Tenable security researcher discovered a “critical” flaw in Microsoft’s Azure cloud computing platform in March. The vulnerability(Opens in a new window) could allow a hacker to access applications and sensitive data, including authentication secrets, from enterprise customers that use Azure.
“To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank,” Yoran said.
Tenable notified Microsoft about the problem, fearing the vulnerability could help a hacker breach numerous customer networks. But according to Yoran, Microsoft was slow to roll out a patch and then failed to fully fix the problem.
"They took more than 90 days to implement a partial fix—and only for new applications loaded in the service," he alleges. "That means that as of today, the bank I referenced above is still vulnerable, more than 120 days since we reported the issue, as are all of the other organizations that had launched the service prior to the fix."
Yoran published the blog post days after Sen. Ron Wyden harshly criticized Redmond for “negligent cybersecurity practices” after state-sponsored hackers breached Microsoft services twice: once during the 2020 SolarWinds hack, and again in the Outlook-based email hack that was disclosed last month.
Wyden is calling on federal authorities to investigate Microsoft
Read more on pcmag.com
