Microsoft has been accused of a lack of transparency in its vulnerability practices, with the security outfit Tenable claiming these practices put the software giant’s customers at risk.
Tenable chairman and chief executive Amit Yoran said in a blog post that his company had discovered two flaws, one of which it considered critical, in Microsoft’s Azure platform, both in the Synapse Analytics part of Azure.
Synapse Analytics is used for machine learning, data aggregation and similar computational tasks.
One of these flaws was a privilege escalation flaw with the context of a Spark VM. The second allowed the poisoning of the hosts file on all nodes in a Spark pool.
Yoran wrote that Microsoft decided to silently patch the privilege escalation flaw, while downplaying the risk. “It was only after being told that we were going to go public, that their story changed… 89 days after the initial vulnerability notification… when they privately acknowledged the severity of the security issue. To date, Microsoft customers have not been notified,” he added.
Tenable researcher James Sebree wrote that the company had rated the issue as a critical severity, basing its reasoning on the concept of the Spark VM itself.
He said: “During the disclosure process, Microsoft representatives initially seemed to agree that these were critical issues. A patch for the privilege escalation issue was developed and implemented without further information or clarification being required from Tenable Research.
“This patch was also made silently and no notification was provided to Tenable. We had to discover this information for ourselves.
“During the final weeks of the disclosure process, MSRC [Microsoft Security Research Centre] began attempting to downplay this issue and classified it as a ‘best practice recommendation’ rather than a security issue. Their team stated the following (typos are Microsoft’s): ‘[W]e do not consider this to be a important severity security issue but rather a better practice’.”
Yoran said this was not an isolated case. “This is a repeated pattern of behaviour. Several security companies have written about their vulnerability notification interactions with Microsoft, and Microsoft’s dismissive attitude about the risk that vulnerabilities present to their customers,” he said.
“For an IT infrastructure provider or a cloud service provider that is not being transparent, the stakes are raised exponentially.
“Without timely and detailed disclosures, customers have no idea if they were, or are, vulnerable to attack… or if they fell victim to attack prior to a vulnerability being patched.
“And not notifying customers denies them the opportunity to look for evidence that they were or were not compromised, a grossly irresponsible policy.”
Yoran pointed to the case of FireEye/Mandiant which provided what he said was “an exemplary model for responsible disclosure when the company disclosed their breach, even prior to the forensic evidence resulting in the SolarWinds revelations of 2020”.
He said the answer did not lie in just asking vendors to do better. “Holding a cloud or technology provider to a standard of care and transparency is essential. Independent audit and assessment of IT infrastructure and cloud service providers should be mandatory.
“The fox is guarding the henhouse. Trust but verify. The simple lessons we have been taught since elementary school remain applicable in cyber.”
SONICWALL 2022 CYBER THREAT REPORT
The past year has seen a meteoric rise in ransomware incidents worldwide.
Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:
Zero-day attacks and more
These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.
Click the button below to get the report.
PROMOTE YOUR WEBINAR ON ITWIRE
It’s all about Webinars.
Marketing budgets are now focused on Webinars combined with Lead Generation.
If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.
The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.
Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.
We look forward to discussing your campaign goals with you. Please click the button below.
MORE INFO HERE!