Tenable CEO: Microsoft Vulnerability Disclosure and Patching Practices Lacks Transparency and Puts Customers at Risk
Tenable CEO Amit Yoran took to LinkedIn with harsh words for Microsoft, criticizing the company’s vulnerability disclosure practices as insufficiently transparent and irresponsible.
The blog post was specifically triggered by Microsoft’s handling of some recent Azure platform vulnerabilities, but Yoran cites reports from several cybersecurity firms that indicate the company isn’t moving fast enough with its disclosures and sometimes has a “dismissive” attitude towards the parties involved.
Tenable CEO Says Microsoft Vulnerability Disclosures Are Too Slow and Lack Important Details
Yoran’s immediate incitement to controversy seems to have been two Azure Synapse Analytics vulnerabilities that Tenable (a major vulnerability scanning platform) discovered in March. Reporting dozens of vulnerabilities to manufacturers and developers every year, Tenable certainly has substantial insight into how remediation and disclosure processes tend to work.
Yoran said Microsoft decided to patch one of the two security issues without a vulnerability disclosure, not following up until 89 days later when Tenable notified the company that it was going public. Yoran says Microsoft privately acknowledged the seriousness of the problem, but continued to insist on not issuing a public vulnerability disclosure.
According to Yoran, this is not an isolated problem. He notes that several other cybersecurity companies have written about similar interactions with Microsoft: Orca Security, Wiz, and Positive Security have also addressed the Azure issue and reported comparable experiences. Yoran also cites Fortinet’s recent report on the “Follina” vulnerability, which went unpatched for weeks after it was disclosed; prior to the mid-June patch, Microsoft’s only recommendation was a May 30 advisory that instructed Windows users to completely disable the Microsoft Support Diagnostic Tool (MSDT).
Tenable disclosed the two Azure flaws via a company blog post on June 13. Both flaws allowed an attacker to gain root privileges in Apache Spark virtual machines. Apache Spark pools are a particularly sensitive point of compromise because they typically contain keys and services that allow an attacker to extend further into the Microsoft infrastructure. Tenable says Microsoft quietly rolled out fixes to all regions for the issues on April 30, but again blamed the company for downplaying the severity of the issues and refused to categorize them in a way that they become eligible for bug bounties.
Microsoft’s motives for slow and incomplete disclosures remain unclear
Tenable notes that Synapse Analytics, a commonly used computing platform for machine learning and data aggregation, is listed as a “high impact scenario” in the company’s Azure Bug Bounty program. This places it among the products considered to have the most severe possible security impacts for Microsoft customers across its entire software ecosystem.
Nevertheless, Microsoft has determined that the issues do not warrant a vulnerability disclosure. While Yoran and Tenable don’t assign a specific reason for this, some commenters wonder if this is just a rather cumbersome way to avoid paying a bug bounty. Microsoft typically pays out more than $10 million a year in bonuses, with the largest individual bonus to date being $200,000 and the average amount currently being paid around $10,000. At least one company, Orca Security, received a $60,000 bounty in connection with one of these vulnerabilities.
Tenable reports not receiving a response from Microsoft Security Response Center (MSRC) agents for long periods of time and having to resort to Twitter messages to expedite communication. Tenable was also not initially notified of the issues which ultimately led to the disclosure of the patched vulnerability, having to figure them out on their own.
There is a legitimate debate to be had about transparency in cases where a fix for a reported vulnerability may take some time to prepare. However, if malicious actors have already been discovered exploiting the problem, the industry standard tends to be immediate disclosure of vulnerabilities for the sake of transparency and letting users know what their risk profile is. If hackers realize that a company like Microsoft is downplaying or covering up an exploit they know about, this will most likely serve as an additional incentive to use it. There is no reasonable expectation that the clientele will not notice or be untouched by anything when this base spans millions of people across the globe.
As Bob Huber, CSO and Head of Research at Tenable observes: “Even though there are no patches or mitigations available, as a customer and risk manager, I still want to understand the exposure which I have at one point. In this case, although the patch was delayed, we at least knew the risk we were running and could structure our defense to watch for possible exploit and malicious activity. This is different from recent comments about cloud vulnerabilities in which we weren’t even aware of a vulnerability or the additional risk we were carrying. Follina, eyes wide open. Cloud, dark and stormy.
The Azure security vulnerability allowed attackers to switch between Synapse customer accounts, access credentials stored in Synapse Workplaces, enable remote code execution via the access to integration runtimes and take control of batch pools. The first patch deployed quietly by Microsoft on March 30 was reportedly successfully circumvented by Orca Security during private testing. However, the practice of “stealth patches” and minimizing or ignoring security issues is not unique to Microsoft; Oracle, Google, and Apple have all been criticized for abruptly releasing patches without notice, slowly patching known vulnerabilities, and even suddenly ceasing to support products when they became unmanageable due to some sort of code defect.