Microsoft has resolved a security vulnerability that allowed unauthorized access to sensitive data managed by Azure AD, a cloud service used for user authentication by large companies.
The issue gained attention when Amit Yoran, the CEO of Tenable, a cybersecurity firm, posted a scathing critique of Microsoft’s handling of the vulnerability on LinkedIn. Tenable’s researcher discovered the problem on March 30, which granted limited access to cross-tenant applications and sensitive information, including authentication secrets.
Tenable promptly reported the vulnerability to Microsoft, and the tech giant confirmed it on April 3. However, Microsoft took several months to address the issue, eventually claiming a fix on July 6. Tenable, upon reviewing the fix, found that it was incomplete and still exploitable. The two companies engaged in back-and-forth discussions, with Microsoft setting the release of a complete fix for September 28.
Yoran criticized Microsoft for its slow response and expressed concern that the affected bank remained vulnerable more than 120 days after the initial report. He questioned Microsoft’s approach to security, stating that the current shared responsibility model is broken if cloud vendors fail to notify customers promptly about issues and apply fixes openly. He argued that Microsoft’s lack of transparency and obfuscation raises doubts about their commitment to doing the right thing for customers.
Microsoft’s reaction
On Wednesday, after Yoran’s blog post was published, Microsoft promptly released a fix for the vulnerability, and they followed up with their own blog post about the issue on Friday. A Microsoft spokesperson defended their response, stating that the initial fix in June had mitigated the problem for the majority of customers. They emphasized that they appreciate the responsible disclosure of product issues by the security community and explained their extensive process of investigation, update development, and compatibility testing for affected products.
According to Microsoft’s investigation, the only individual to exploit the vulnerability was the Tenable security researcher who discovered it. The affected customers were contacted, and after the June 7 fix, only a very small subset of users remained affected. Microsoft assured that they took additional steps to validate complete mitigation for any potentially remaining customers. Rushing out a fix could have caused more disruption than the risk posed by the vulnerability.
Yoran expressed uncertainty about whether the issue was genuinely fixed or if Tenable was simply blocked from further testing. He mentioned that other vendors typically inform them of fixes to validate effectively, but with Microsoft Azure, they lack that transparency, making it a black box and contributing to the problem.
Microsoft has faced severe criticism in recent months due to several security lapses that have angered senior levels of the U.S. government. A U.S. senator requested investigations into a hack allegedly perpetrated by Chinese government hackers targeting Microsoft-provided email accounts used by top officials. Microsoft’s handling of the SolarWinds scandal was also criticized.
Yoran cited a report from Google Project Zero, which found that Microsoft products accounted for 42.5% of all zero-day vulnerabilities discovered since 2014. He accused Microsoft of lacking transparency in breaches, security practices, and vulnerabilities, leaving their customers in the dark and exposed to undisclosed risks.