Microsoft is facing mounting criticism in the wake of last month’s attack on Azure. In a post on LinkedIn, Amit Yoran, the CEO of the cybersecurity company Tenable, says Microsoft’s cybersecurity track record is “even worse than you think” — and he has an example to back it up.
On July 12th, Microsoft disclosed a major breach targeting its Azure platform, which it traced to a Chinese hacking group known as Storm-0558. The attack affected around 25 different organizations and resulted in the theft of sensitive emails from US government officials. Last week, Senator Ron Wyden (D-OR) sent a letter to the US Department of Justice, asking it hold Microsoft accountable for “negligent cybersecurity practices.”
Yoran has more to add to the senator’s arguments, writing in his post that Microsoft has demonstrated a “repeated pattern of negligent cybersecurity practices,” enabling Chinese hackers to spy on the US government. He also revealed Tenable’s discovery of an additional cybersecurity flaw in Microsoft Azure and says the company took too long to address it.
Tenable initially discovered the flaw in March and found that it could give bad actors access to a company’s sensitive data, including a bank. Yoran claims Microsoft took “more than 90 days to implement a partial fix” after Tenable notified the company, adding that the fix only applied to “new applications loaded in the service.” According to Yoran, the bank and all the other organizations “that had launched the service prior to the fix” were still affected by the flaw — and were likely unaware of that risk.
While Microsoft initially planned to resolve the issue by the end of September — a delay Yoran calls “grossly irresponsible, if not blatantly negligent” — Microsoft pushed a fix shortly after Yoran’s post was published. Microsoft says vulnerability could’ve resulted in “unintended information disclosure,” but adds that no one other than Tenable’s research was able to exploit the flaw. Tenable has since published more details about the issue.
“What you hear from Microsoft is ‘just trust us,’ but what you get back is very little transparency and a culture of toxic obfuscation,” Yoran writes. “How can a CISO, board of directors or executive team believe that Microsoft will do the right thing given the fact patterns and current behaviors?”
The security firm Wiz reported last week that the hack on Azure may have been more far-reaching than originally thought, although Microsoft has since disputed its findings. Yoran also points to data from Google’s Project Zero, which indicates that Microsoft products have made up 42.5 percent of all discovered zero-day vulnerabilities since 2014.
Microsoft senior director Jeff Jones responded to Yoran’s criticism in an emailed statement to The Verge:
We appreciate the collaboration with the security community to responsibly disclose product issues. We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications. Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption.
Microsoft has been involved in numerous recent data breaches, including the infamous Solar Winds hack that affected agencies across the US government. The company also suffered an attack affecting over 30,000 organizations due to flaws in its Microsoft Exchange Server software. The US government will soon force companies to become more forthcoming about security issues, as new rules at the Securities and Exchange Commission will require companies to disclose a hack within four days of its discovery.
Update August 4th, 5:37PM ET: Added that Microsoft fixed the discovered vulnerability.