In August, during a presentation at Black Hat USA, a security researcher unveiled the vulnerabilities in Microsoft guest accounts that allowed unauthorized access to sensitive corporate data. The researcher also demonstrated how Power Platform could be exploited to create internal phishing applications and establish persistent backdoors even if the hacked user was deleted. These security flaws continue to pose a threat to organizations, as mitigating them falls under the responsibility of Microsoft customers who must monitor and strengthen their own environments.
Prior to this presentation, the security researcher faced a dilemma regarding what information to share. They were aware of the potential risks of disclosing these vulnerabilities, as it could potentially alert hackers to their existence. However, considering that these issues were already being exploited in the wild, it was crucial to level the playing field and provide security teams with the knowledge and tools to protect their organizations.
This predicament is not unique to the researcher in question. Several other researchers have faced similar choices, where they must decide between remaining silent or educating the public about unresolved security issues. By sharing their findings, these researchers aim to raise awareness and drive action towards addressing these vulnerabilities.
The landscape of security research has significantly changed over time. Gone are the days when researchers would reveal zero-day vulnerabilities on stages like Black Hat or DEF CON. While this shift is generally positive, as it fosters collaboration between researchers and vendors, it has also led to a loss of certain dynamics within the security community. However, vendors now recognize that security researchers play a crucial role in improving the overall security of their products and services.
Most researchers today follow a responsible disclosure route. They engage with the vendor, allowing them time to address the vulnerabilities before making them public. Nevertheless, researchers often choose to disclose the vulnerabilities because they believe vendors are not adequately addressing the issues within a reasonable timeframe. In the past, security researchers would expose vulnerabilities publicly, putting pressure on vendors to fix them promptly.
Today, the balance of power between researchers and vendors is unequal. Researchers often find themselves pitted against vast enterprises with abundant resources, strong media presence, and legal teams. This power dynamic can dissuade vendors from promptly addressing vulnerabilities, prioritizing avoiding PR crises over improving customer security. Though certain organizations support researchers in navigating these challenges, the situation can feel like a David versus Goliath battle.
One of the main issues with the current system of vulnerability disclosure is that organizations hold complete decision-making power without transparency. While the Common Vulnerabilities and Exposures (CVE) system exists, its issuance is primarily at the vendor’s discretion. Cloud service providers present an even more daunting challenge, with many refusing to issue CVEs and lacking transparency regarding discovered and fixed security issues in their services.
To maintain integrity within the community, it is necessary to discuss problems openly. This approach has proven effective in various contexts, such as open source software development, challenging security by obscurity, and fostering open government initiatives. However, some believe that the pendulum has swung too far in favor of vendors, leading them to prioritize short-term visibility concerns over long-term customer trust and ecosystem security.
While vendor security teams are making efforts to address reported vulnerabilities and build stronger relationships with researchers, they require additional support. Urgency to fix issues can be challenging to generate when organizations feel they control the situation while their customers remain at risk.
Security conferences serve as platforms where researchers can push vendors in the right direction. By publicly sharing information, researchers provide a means to hold vendors accountable and allow the entire community to assess the current state of security. These conferences act as a catalyst for change, fostering collaboration and ensuring that the security of organizations and the wider ecosystem remain a top priority.