In a post on Linkedin, the CEO of IT security services provider Tenable, Amit Yoran, complains about Microsoft’s handling of security breaches. The company exposes customers to unnecessary risks: The lack of transparency in cybersecurity spells danger for all of us. A picture is emerging of failed updates, incorrect assessment of the severity of security holes, and sometimes even miscommunication about (closed) vulnerabilities.
Silent sealed safety leaks
Yoran explains the problem in a specific case. IT security researchers at Tenable discovered security holes in Microsoft’s Azure Synapse, a big data analytics service, in March. Including one you classify as critical. Microsoft quietly fixed one of the gaps after an evaluation and downplayed the potential risk.
Only after Tenable informed Microsoft that they were publishing details about the vulnerability did something change: Microsoft privately confirmed the severity of the vulnerability 89 days after notification. However, Microsoft customers have not yet received any information about it.
The problem here is that this lack of transparency on the part of an IT infrastructure or cloud service provider increases risk exponentially, Yoran continues. Without timely and detailed information, customers would have no idea if they are or are still vulnerable to attack. Or if they have already been victims of an attack on a sealed security hole. If customers didn’t receive a vulnerability notification, they wouldn’t have the opportunity to search for evidence that they may or may not have been compromised, a highly irresponsible policy, Yoran adds.
It is not an isolated case
Not only Tenable, but also other IT security companies like Wiz, Positive Security, and Fortinet described similar examples. OrcaSecurity can also bring that expertise. The company’s IT researchers also have a Vulnerability in Azure Synapse discovered how attackers could easily access data if they knew the name of a workspace, among other things. This would allow greater access and control of the workspace. They could also have run their own code on client machines in the Azure Synapse analytics service.
The timeline of the vulnerability reporting and removal fits the picture perfectly. In short, OrcaSecurity writes: Over 100 days to final bug fix. Three patches, the first two could be overcome. The certificate for the internal control server was only withdrawn and invalidated after 96 days. On the bright side, however, it should be noted here that both Microsoft and OrcaSecurity have posted background and details about the vulnerabilities on their blogs after the 100 days. However, there is no indication that Azure customers are receiving active notifications.
(DMK)