Microsoft accused of a pattern of repeated negligent cybersecurity practices

The CEO of Tenable has called out Microsoft for its security practices following an attack on the tech giant’s Azure platform, which was disclosed in early July. 

Chinese espionage hacking group “Storm-0558” breached an undisclosed number of emails via Outlook Web Access in Exchange Online and Outlook.com. These emails were linked to 25 organizations, including government agencies in Western Europe and the US, as well as individual customer accounts. The breach began on May 15th and was first detected a month later when a customer reported it to Microsoft. 

In a LinkedIn post, cybersecurity company Tenable CEO Amit Yoran has revealed that this isn’t the first time Microsoft has fallen victim to such an attack and puts its customers at risk. And the details of his post are pretty damning. 

A history of negligence

According to Yoran, a member of Tenable’s research team discovered a severe vulnerability in Microsoft’s Azure platform back in March. This weakness had the potential to let a threat actor access all manner of an organization’s sensitive data, including cross-tenant applications and authentication secrets. In fact, the Tenable team was able to use the exploit to find out a bank’s authentication secrets. The company quickly alerted Microsoft to the issue, expecting it to react swiftly. Instead, it took 90 days to apply a partial fix to the problem, which was only applied to new applications on the service. Microsoft informed Tenable that the issue would be fully fixed in September, which Yoranhas describes as “grossly irresponsible, if not blatantly negligent.”

The Verge reports that Microsoft fixed the issue since Yoran’s post was published. In an email to The Verge, Microsoft senior director Jeff Jones responded to some of the criticism, explaining that the company follows an extensive process when conducting investigations of impacted products: 

“Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption.”

Even so, many are still frustrated with the tech giant. In his LinkedIn post, Yoran also supports his case by pointing to data from Google Project Zero, security analysts employed by Google whose purpose is finding zero-day vulnerabilities. According to this data, since 2014, Microsoft products have been responsible for 42.5% of all zero-days discovered.

Yoran isn’t the only one frustrated by Microsoft’s cybersecurity practices. In late July, Oregon Senator Ron Wyden sent a letter to the Department of Justice, the Cybersecurity and Infrastructure Security Agency, and the Federal Trade Commission, urging them to hold Microsoft to account for “negligent cybersecurity practices, which enabled a successful Chinese espionage campaign against the United States government.”

Conclusion

While Microsoft has addressed some of the issues discussed in this article, the frustration of cybersecurity professionals is understandable. As one of the world’s leading tech companies that provides IT infrastructure for countless organizations worldwide, the highest quality of security should be provided as standard.

Share on Twitter, Facebook, Google+