Several cybersecurity firm have criticized Microsoft for what they claim are slow and opaque patching practices.
Orca Security and Tenable have both been quite vocal on how Microsoft handles high-severity vulnerabilities. The former says it has been trying to get Microsoft to fix a critical issue in Azure’s Synapse Analytics since early January 2022, and after a lot of back and forth, as well as two failed attempts, the company finally managed to provide a patch for user endpoints (opens in new tab), properly, only on April 15.
Tenable has also voiced its dissatisfaction with how the Synapse issue was resolved, the publication further found. In a LinkedIn post (opens in new tab), the company’s Chairman and CEO, Amit Yoran, said there’s a “lack of transparency” Microsoft showed, just a day before the embargo on privately disclosed vulnerabilities lifts.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.
Slow Follina patch
“Both of these vulnerabilities were exploitable by anyone using the Azure Synapse service. After evaluating the situation, Microsoft decided to silently patch (opens in new tab) one of the problems, downplaying the risk,” Yoran said. “It was only after being told that we were going to go public, that their story changed... 89 days after the initial vulnerability notification…when they privately acknowledged the severity of the security (opens in new tab) issue. To date, Microsoft customers have not been notified.”
Microsoft was also criticized for the way it handled the Follina vulnerability, which was apparently only patched after being “actively exploited in the wild for more than seven weeks”.
> Microsoft patches Follina threat in latest Patch Tuesday release (opens in new tab)
> Windows Follina zero-day now being abused to infect PCs with Qbot malware (opens in new tab)
> Watch out for this dangerous new Microsoft Word scam, Office users warned (opens in new tab)
Researchers from Shadow Chaser Group apparently reached out to Microsoft in April, to report on Follina being used in the wild, but the company didn’t declare it as a vulnerability (opens in new tab) until two weeks ago, for unknown reasons.
Slow or not, Microsoft did go into detail on how it fixed the Azure flaw: "We are deeply committed to protecting our customers and we believe security is a team sport. We appreciate our partnerships with the security community, which enables our work to protect customers. The release of a security update is a balance between quality and timeliness, and we consider the need to minimize customer disruptions while improving protection."
Via: Ars Technica (opens in new tab)