Amit Yoran, a seasoned cybersecurity executive, accused Microsoft of being sluggish in addressing a critical vulnerability affecting its Azure platform. He criticized the tech giant’s slow response, describing it as a negligent approach to security. This public critique, which is uncommon for a high-profile figure in cybersecurity, came after lawmakers and researchers criticized Microsoft for a recent cyberattack resulting from a security lapse.
As the CEO of Tenable, a company that assists businesses in understanding and mitigating cybersecurity vulnerabilities, Yoran stated that he works with numerous companies each year to disclose and patch vulnerabilities. He expressed frustration that Microsoft consistently fails to proactively and professionally address vulnerabilities in their products. Yoran highlighted his concerns about Microsoft’s handling of vulnerabilities in a blog post, particularly after Tenable researchers identified a critical vulnerability in a Microsoft Azure product and notified the company about it.
Despite reporting the flaw to Microsoft four months ago, the vulnerability remains unpatched, which Yoran considers grossly irresponsible or even blatantly negligent on Microsoft’s part. He shared a timeline indicating that Microsoft acknowledged the issue promptly but failed to provide a proper fix. The situation raises concerns about the security of vulnerable organizations, as many may not be aware of the risks they face.
The incident comes at a time when Microsoft faces increased scrutiny in Washington due to its product being exploited by Chinese hackers to steal email messages from senior U.S. officials. Senator Ron Wyden has called Microsoft negligent in its security practices and has requested a Justice Department investigation. However, Microsoft has maintained that the attack was highly targeted and downplayed the extent of the breach.
Yoran’s criticism highlights the challenge of holding Microsoft accountable given its dominant position in the technology ecosystem, making some security researchers hesitant to speak up. Nevertheless, Yoran believes it is essential to address security concerns, considering the widespread use of Microsoft’s products and infrastructure.