Microsoft’s handling of security breaches and transparency issues has left many infosec professionals frustrated and questioning the company’s commitment to cybersecurity. The most recent breach, in which a Chinese nation-state threat actor gained access to 25 organizations, including U.S. government agencies, highlighted the extent of the problem.
The breach, which was first detected by the U.S. government rather than Microsoft itself, involved the exploitation of a “token validation issue” in Outlook Web Access in Exchange Online and Outlook.com. The Cybersecurity and Infrastructure Security Agency (CISA) stated that the breach was only detected because the affected organization had enabled enhanced logging for its Microsoft 365 services, which is only available to premium subscribers.
In response to the breach, Microsoft announced plans to enhance its cloud logging capabilities and provide more detailed email access logs to standard subscribers. The company also faced criticism for its lack of transparency in disclosing the technical details of the breach. Several security researchers and vendors argued that the issue should have been classified as a zero-day vulnerability.
This breach is just one example of the ongoing security issues that Microsoft has faced in recent years. Amit Yoran, chairman and CEO of Tenable, has been one of the most vocal critics of the company’s transparency practices. Last year, Yoran publicly called out Microsoft for silently patching and downplaying vulnerabilities in Microsoft Azure that Tenable researchers had discovered.
Yoran has also highlighted the issue of insufficient access control to Azure Function hosts, which could allow an unauthenticated attacker to access sensitive data. He referenced data from Google’s Project Zero, which showed that Microsoft products accounted for 42.5% of all zero days discovered since 2014.
In response to Yoran’s comments, the Microsoft Security Response Center (MSRC) defended its handling of the vulnerabilities, stating that it issued fixes in a timely manner and worked to address the flaws completely. However, Yoran argued that Microsoft’s practices were often misleading and lacked transparency.
Security researchers have long complained about the lack of transparency and disclosure guidelines for cloud vulnerabilities, and Microsoft’s critics believe that the company needs to do better. Without proper disclosure, customers are left unaware of the risks they may be operating under and unable to assess the level of risk they face.
Recent issues with Microsoft’s cloud services have further fueled concerns about the company’s security practices. Vulnerabilities in Azure Machine Learning were allegedly “silently patched” by Microsoft, and the extent of the Storm-0558 campaign may be broader than initially thought.
Despite the criticism, some security researchers have praised Microsoft’s efforts in working with the security community. They believe that the company has made advancements in communication practices and is leading initiatives in security research. However, critics argue that the bypassing of mitigations and the emergence of additional vulnerabilities and zero days indicate that Microsoft’s actions may not match its rhetoric.
Overall, the frustrations and concerns raised by infosec professionals highlight the need for Microsoft to prioritize transparency, effective communication, and timely response to security issues. As cyber threats continue to evolve, it is crucial for companies like Microsoft to uphold their end of the security bargain and ensure the protection of their customers’ data.