Microsoft is a “Strategic Problem in the Security Space,” Says CEO

Satya Nadella, with caption quote: “Culture of toxic obfuscation”Yoran has had enough—and he’s not gonna take it anymore.

Tenable CEO Amit Yoran says his team reported a critical Azure bug four months ago. Has Microsoft fixed it yet? “Of course not,” he says.

Satya Nadella (pictured) can’t be happy. Looks like he’s about to punch someone. In today’s SB Blogwatch, we can’t say we’re totally surprised to hear about security foot-dragging in Redmond.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Amazing 70-year-old calculating machine.

Fist of FAIL

What’s the craic? Elias Groll and AJ Vicens report—“Cybersecurity veteran Amit Yoran says Microsoft has a culture of toxic obfuscation when it comes to addressing security threats”:

Growing scrutiny of Microsoft
Yoran accused Microsoft … of dragging its feet on fixing a critical vulnerability affecting its Azure platform and said the tech giant’s slow response illustrates a negligent approach to security. His harsh public critique of Microsoft — a relatively rare event for a high-profile corporate figure in cybersecurity — follows criticism from lawmakers and researchers alike after a recent cyberattack … from a Microsoft security lapse.

Microsoft, he said, consistently fails to proactively and professionally address vulnerabilities in their products. “In Microsoft’s case you have a culture which denies the criticality of vulnerabilities.” … Researchers at his company identified a critical vulnerability in a Microsoft Azure product [and] waited in vain for [Microsoft] to address the issue. The flaw allowed [them] to … access a bank’s authentication secrets, but four months after it was disclosed … the vulnerability still hasn’t been properly patched.

“Microsoft is a pretty strategic problem in the security space.” … Yoran’s broadside against Microsoft comes amid growing scrutiny of Microsoft. … Hackers based in China were able to steal an encryption key [and] forge authentication tokens. … Security researchers have sharply criticized the company for not only allowing an encryption key to be stolen but for [an] architecture in which tokens could be forged in this way at all.

Who can add more? Michael Kan can—“Slow, Incomplete Bug Patches”:

A majority of customers
According to Yoran, Microsoft was slow to roll out a patch and then failed to fully fix the problem: … ”They took more than 90 days to implement a partial fix—and only for new applications loaded in the service,” he alleges.

Microsoft tells [me] it has fully addressed the vulnerability for all customers. It also claims that the initial fix rolled out in June mitigated the issue for a majority of customers.

Horse’s mouth? Amit Yoran says it’s not fully fixed—“The Truth Is Even Worse Than You Think”:

Toxic obfuscation
Microsoft’s lack of transparency applies to breaches, irresponsible security practices and to vulnerabilities, all of which expose their customers to risks they are deliberately kept in the dark about. … Did Microsoft quickly fix the issue that could effectively lead to the breach of multiple customers’ networks and services? Of course not.

The bank … is still vulnerable, more than 120 days since we reported the issue, as are all of the other organizations that had launched the service prior to the fix. And, to the best of our knowledge, they still have no idea they are at risk. … That’s grossly irresponsible, if not blatantly negligent.

What you hear from Microsoft is “just trust us,” but what you get back is very little transparency and a culture of toxic obfuscation. … Microsoft’s track record puts us all at risk.

CW: Loose metaphors related to mental health. Here’s insanitybit:

TBH, the issues that I’ve seen with Azure are … ”I don’t believe anyone did a basic pentest against that system even once,” levels of shocking. That’s insane for a company the size of Microsoft. These vulns are cross tenancy violations—which, again, is insane. That’s as bad as it gets.

The insane thing is that some of these vulns are as easy to discover as just running nmap. I’m sort of shocked that people haven’t run into them accidentally. Hardly sophisticated. I’m not trusting Azure with ****.

The vulns … were so bad I basically wrote off Azure that day. And not bad like, ‘Impact is high,’ [but] bad like, ‘Did anyone in your massive security org actually look at this?’

That sounds hilariously bad. I don’t see pnellesen laughing, though:

I’d laugh, but I’ve spent the past 3 years as part of the team that migrated almost the entirety of our Fortune 500 company’s infrastructure and application base to Azure. If Azure goes down, or our subscriptions are compromised, we’re so freaking screwed. Glad I can retire pretty much any time I want.

Anyone else? Henry Hallan piles on:

Microsoft have a decades-long history of poor security. … Shouldn’t customers have an expectation that their data will be secured?

Are Yoran’s experiences typical? You bet they are, thinks blaktronium:

Yeah anyone that has ever reported a security issue to MS has seen the same run around. A few years back I discovered a bug in exchange online that allowed me to use one O365 tenant to capture all outbound traffic from another organization destined to O365 [and] read their email.

I reported it directly to them at a pretty high level. They even wrote off the 150k premier support bill we racked up troubleshooting it. … And it took them a long time to close it.

Well, you know what Einstein said (or not)? midoridensha does:

What’s truly insane is that people keep expecting Microsoft to do better, and then being disappointed when they don’t. The common saying is, “The definition of insanity is doing the same thing and expecting a different result,” and that’s exactly what most people do in regards to Microsoft and product quality or security.

Meanwhile, randomcat pictures the scene:

Microsoft: Sorry about that, government institutions! Security is hard LOL. So, anyway, your monthly bill is coming up—would you like to pay that now?

And Finally:

1954 Curta is busted

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Bhupinder Nayyar (cc:by; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 677 posts and counting.See all posts by richi