Tenable CEO Amit Yoran has taken to LinkedIn with harsh words for Microsoft, criticizing the company’s vulnerability disclosure practices as being insufficiently transparent and irresponsible.
The blog post was specifically triggered by Microsoft’s handling of some recent vulnerabilities in the Azure platform, but Yoran cites reports from several cybersecurity firms that indicate the company is not being timely enough with its disclosures and sometimes has a “dismissive” attitude toward impacted parties.
Tenable CEO says Microsoft vulnerability disclosures too slow, lacking in important details
The immediate prompt for Yoran’s polemic appears to have been two Azure Synapse Analytics vulnerabilities that Tenable (a major vulnerability scanning platform) discovered in March. Reporting dozens of vulnerabilities to manufacturers and developers each year, Tenable definitely has some substantial insight into how the remediation and disclosure processes tend to work.
Yoran said that Microsoft decided to patch one of the two security issues without a vulnerability disclosure, only following up some 89 days later when Tenable informed the company it was going public. Yoran says that Microsoft privately acknowledged the severity of the issue, but continued to insist on not issuing a public vulnerability disclosure.
According to Yoran, this is not an isolated issue. He notes that several other cybersecurity companies have written about similar interactions with Microsoft: Orca Security, Wiz, and Positive Security have all also addressed the Azure issue and reported comparable experiences. Yoran also cites Fortinet’s recent reporting of the “Follina” vulnerability, which went unpatched for weeks after it was disclosed; prior to the mid-June patch, Microsoft’s only guidance was a May 30 advisory that told Windows users to disable the Microsoft Support Diagnostic Tool (MSDT) entirely.
Tenable disclosed both of the Azure flaws via a company blog post on June 13. Both of the flaws allowed an attacker to escalate to root privileges within Apache Spark virtual machines. Apache Spark pools are a particularly sensitive point of compromise as they generally contain keys and services that allow an attacker to expand further into Microsoft infrastructure. Tenable says that Microsoft quietly rolled out fixes to all regions for the issues on April 30, but again took the company to task for downplaying the severity of the issues and refused to classify them in such a way that they became eligible for bug bounties.
Microsoft’s motives for slow, incomplete disclosures remain unclear
Tenable notes that Synapse Analytics, a computing platform frequently used for machine learning and data aggregation, is listed as a “high impact scenario” in the company’s Azure Bug Bounty program. This puts it among the products regarded as having the most serious possible security impacts for Microsoft customers across its entire ecosystem of software.
Nevertheless, Microsoft felt that the issues did not merit a vulnerability disclosure. While Yoran and Tenable are not attributing a specific reason for this, some commenters have been left wondering if this is simply a rather heavy-handed way to avoid paying out a bug bounty. Microsoft generally pays over $10 million per year in bounties, with the largest individual bounty to date being $200,000 and the average amount paid currently at about $10,000. At least one company, Orca Security, was issued a $60,000 bounty in connection with one of these vulnerabilities.
Tenable reports not getting a response from case agents at the Microsoft Security Response Center (MSRC) for prolonged periods, and having to resort to Twitter posts to prompt timely communication. Tenable was also not initially notified of the issues that eventually wound up in the vulnerability disclosure being patched, having to discover them for themselves.
There is a legitimate debate to be had over transparency in cases in which a patch for a reported vulnerability may take some time to prepare. However, if threat actors have already been found exploiting the issue, the industry standard tends to be immediate vulnerability disclosure in the interest of transparency and letting users know what their risk profile is. If threat actors pick up on the fact that a company such as Microsoft is downplaying or covering up an exploit that is known to them, it will very likely serve as further incitement to make use of it. There is no reasonable expectation of the customer base not noticing or not being impacted by something when that base spans millions of people around the world.
As Bob Huber, CSO and head of research at Tenable, observes: “Even if there are no patches or mitigations available, as a customer, and risk manager, I still want to understand the exposure I have at any given point in time. In this case, while the patch was delayed, we at least knew the risk we were carrying and could structure our defense to monitor for possible exploitation and malicious activity. This is unlike the recent comments about cloud vulnerabilities wherein we were not even aware of a vulnerability or the additional risk we were carrying. Follina, eyes wide open. Cloud, dark and stormy.”
The Azure security vulnerability allowed attackers to jump between Synapse customer accounts, access credentials stored in Synapse workplaces, enable remote code execution via access to integration runtimes, and take over batch pools. The first patch that Microsoft quietly deployed on March 30 was reportedly bypassed successfully by Orca Security in private testing. The practice of “stealth patching” and downplaying or ignoring security issues is hardly unique to Microsoft, however; Oracle, Google and Apple have all been criticized for abruptly issuing patches without notice, slow patching of known vulnerabilities, and even ceasing support for products suddenly when they become unmanageable due to some sort of code flaw.