Microsoft slammed over slow security patching

Microsoft Surface Laptop SE
(Image credit: Mark Pickavance)

Several cybersecurity firm have criticized Microsoft for what they claim are slow and opaque patching practices. 

Orca Security and Tenable have both been quite vocal on how Microsoft handles high-severity vulnerabilities. The former says it has been trying to get Microsoft to fix a critical issue in Azure’s Synapse Analytics since early January 2022, and after a lot of back and forth, as well as two failed attempts, the company finally managed to provide a patch for user endpoints, properly, only on April 15. 

Tenable has also voiced its dissatisfaction with how the Synapse issue was resolved, the publication further found. In a LinkedIn post, the company’s Chairman and CEO, Amit Yoran, said there’s a “lack of transparency” Microsoft showed, just a day before the embargo on privately disclosed vulnerabilities lifts.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Slow Follina patch

“Both of these vulnerabilities were exploitable by anyone using the Azure Synapse service. After evaluating the situation, Microsoft decided to silently patch one of the problems, downplaying the risk,” Yoran said. “It was only after being told that we were going to go public, that their story changed... 89 days after the initial vulnerability notification…when they privately acknowledged the severity of the security issue. To date, Microsoft customers have not been notified.”

Microsoft was also criticized for the way it handled the Follina vulnerability, which was apparently only patched after being “actively exploited in the wild for more than seven weeks”. 

Researchers from Shadow Chaser Group apparently reached out to Microsoft in April, to report on Follina being used in the wild, but the company didn’t declare it as a vulnerability until two weeks ago, for unknown reasons. 

Slow or not, Microsoft did go into detail on how it fixed the Azure flaw: "We are deeply committed to protecting our customers and we believe security is a team sport. We appreciate our partnerships with the security community, which enables our work to protect customers. The release of a security update is a balance between quality and timeliness, and we consider the need to minimize customer disruptions while improving protection."

Via: Ars Technica

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.