Microsoft has recently issued a rare response to criticism regarding its alleged negligent security practices and its approach to patching security vulnerabilities. The CEO of Tenable, Amit Yoran, published a scathing critique of the company, claiming that its lack of transparency and irresponsible security practices have put customers at risk.
Yoran argued that Microsoft has a history of intentionally keeping customers in the dark about security vulnerabilities, and he believes the company should be held accountable for its actions. This criticism comes in the aftermath of a Chinese cyber espionage incident, in which threat actors accessed emails belonging to government officials, prompting similar concerns about Microsoft’s security approach.
One particular point of contention in Yoran’s critique is the disclosure of a critical security vulnerability in Microsoft’s Power Platform on Azure. Tenable claims that it informed Microsoft of the issue in March, but it took several months before the company released a partial fix. Yoran sees this delay as a significant risk to customers and views it as a negligent approach by Microsoft.
In response, Microsoft strongly disagrees with these claims. The tech giant stated that its approach to fixing the vulnerability followed established practices, which involve thorough investigation, development of updates, and compatibility testing. Microsoft believes that developing a security update requires a delicate balance between speed, safety, and the quality of the fix.
Microsoft argues that swiftly responding to certain vulnerabilities can sometimes cause more disruption than the risk customers bear from the vulnerability itself. Therefore, the company’s approach to remediating this particular vulnerability is not negligence but rather a cautious and measured approach to ensure seamless patching and to avoid any unintended disruption for customers.
The firm emphasized that an embargo period is necessary to provide ample time for a quality fix. Microsoft acknowledges that not all fixes can be completed and safely applied quickly and that some may take longer to develop.
It is important to note that the vulnerability discovered by Tenable in March was officially patched by Microsoft on August 2nd. Furthermore, an investigation revealed that only a small subset of customers were affected, leading to the conclusion that the risk was low.