Security experts: Microsoft does not properly protect customers

Security experts critical of Microsoft argue that the lack of transparency and failure to respond to reports of system vulnerabilities puts customers at risk.

Ars Technica reports that Microsoft is facing growing criticism from security experts, who say its lack of transparency and adequate response time to online threats and vulnerabilities puts customers at risk.

A recent post on the Orca Security blog revealed that it took five months and three patches for Microsoft to fix a critical vulnerability in the Azure product. Orca Security reportedly warned Microsoft about the vulnerability in early January. The error is in the Synapse Analytics section of the cloud service, allowing any user with an Azure account to access other tenants’ resources.

Orca Security researcher Tzach Pahima lists the types of access an attacker could get due to a bug:

• Log into other client accounts, acting as the Synapse workspace. Depending on the configuration, we may have access to more resources within the customer account.
• Leaked client credentials stored in Synapse workspaces.
• Interact with the integration runtime of other clients. We can use any client integration runtime to run remote code (RCE).
• Control Azure Batch Pool, which manages all standard integration runtime. We can run code at every opportunity.

However, although this bug is critical and time sensitive, Microsoft has been slow to realize the seriousness of the bug. The company reportedly messed up the first two patches and didn’t fix the bug until the update was released on Tuesday. Pakhima published a chronology of the process:

• January 4 – Orca Security’s research team reported the vulnerability to the Microsoft Security Response Center (MSRC) along with the keys and certificates we received.
• February 19 and March 4 – MSRC requested additional information to assist with the investigation. Tomorrow with any answer.
• End of March – MSRC has launched the first patch.
• March 30 – Orca wins . The synapse remained weak.
• March 31 – Azure awards us $60,000 for our discovery.
• April 4 (90 days after disclosure) – Orca Security notifies Microsoft that keys and certificates are still valid. Orca still has access to the Synapse control server.
• April 7 – Orca met with MSRC to clarify the impact of the vulnerability and the steps needed to fully fix it.
• April 10 – MSRC fixes the bypass and eventually revokes the Synapse management server certificate. Orca made . The synapse remained weak.
• April 15-MSRC released Patch 3 that fixes RCE and reported attack vectors.
• May 9- Both Orca Security and MSRC publish blogs describing vulnerabilities, mitigation measures, and recommendations for customers.
• End of May. Microsoft is launching broader tenant separation, including temporary instances and scope tokens for the general Azure integration runtime.

A similar story was told by security firm Tenable, which said Microsoft was unable to fix a separate vulnerability associated with Azure Synapse. Tenable Chairman and CEO Amit Göran complained about Microsoft’s “lack of cybersecurity transparency” in an article titled “Microsoft’s Vulnerable Apps Put Customers at Risk.”

yoran wrote:

Both of these vulnerabilities can be exploited by anyone using the Azure Synapse service. After assessing the situation, Microsoft decided to silently fix one of the issues, mitigating the risk. Until they said we would let us know, their stories changed… 89 days after the vulnerability was first reported, when they privately acknowledged the seriousness of the security issue. So far, Microsoft customers have not been notified.

You can find out more about Ars Technica here.