Dive Brief:
- Tenable CEO Amit Yoran publicly called out Microsoft Monday morning over what he claimed is a lack of transparency on how the software giant deals with vulnerability disclosure. Yoran alleged in a LinkedIn blog that it discovered two vulnerabilities in Microsoft’s Azure Synapse service in March — one Tenable researchers considered critical.
- He claimed Microsoft quietly patched one of the vulnerabilities, while downplaying the true risk to users. Microsoft privately acknowledged the severity of the problem, but has not yet notified customers, according to Yoran. Microsoft officials were not immediately available to provide a response prior to Cybersecurity Dive’s publication deadline, but the story will be updated when they do.
- Yoran claimed this was part of an ongoing pattern with Microsoft, as other security research from Orca Security, Wiz, Positive Technologies and Fortinet have shown, according to the blog post. The current Follina vulnerability, where Microsoft has offered a workaround, but has yet to provide a patch, is the latest in that pattern.
Dive Insight:
Tenable argues the interaction is part of a larger pattern involving Microsoft’s lack of transparency on vulnerability disclosure. Tenable cites recent examples involving Orca Security, Positive Technologies, Fortinet and Wiz.
Tenable abides by Microsoft’s 90-day disclosure policy on vulnerability reporting, according to Bob Huber, chief security officer and head of Tenable research.
“Communication with the Microsoft Security Response Team was poor throughout the process,but they do require a 90-day period from the time we notify them of a vulnerability until we are cleared to discuss the vulnerability publicly, giving them time to review the issue, create a patch if necessary and notify their customers.”
Huber said the 90 day window expired mid-week last week, during the RSA Conference.
The ongoing Follina vulnerability has raised questions from security researchers about why Microsoft has provided limited disclosures and workarounds, but has yet to provide a full security update with a patch.
There are also issues surrounding the initial timeline, with researchers saying Microsoft was initially notified of the Follina vulnerability months earlier, but dismissed the potential risks posed to Microsoft Office customers.
Microsoft President Brad Smith in early 2021 publicly called out many of the leading technology companies for failing to come forward with more robust disclosure following the SolarWinds supply chain attack, linked to the threat actor it dubbed Nobelium.
Microsoft was a leading proponent of enhanced information sharing and actively notified customers following the attacks and encouraged customers to move their on-premises business into the cloud so it could be alerted to potential threats.
Erik Nost, senior analyst at Forrester, said the claims from Tenable raise questions about the shared responsibility model in cloud.
“Where cloud providers are responsible for maintaining underlying infrastructure, when should they let customers know a critical issue was identified and patched?” Nost said via email. “This could create confusion for some customers that just want to know what they need to maintain, but some customers may want to know if they were vulnerable and for how long.”