Microsoft is being blamed for what critics say is a lack of transparency and adequate speed in responding to reports of vulnerabilities threatening its customers, security professionals said.
Microsoft’s latest flaw came to light on Tuesday in a post showing that it took Microsoft five months and three patches to successfully fix a critical vulnerability in Azure. Orca Security first notified Microsoft of the flaw in early January, which was located in the Synapse Analytics component of the cloud service and also affected the Azure Data Factory. It gave anyone with an Azure account access to other customers’ resources.
From there, Orca Security researcher Tzah Pahima said that an attacker:
- Gain authorization within other customer accounts while acting as their Synapse workspace. Depending on the configuration, we could have accessed even more resources in a customer’s account.
- Leaked customer credentials stored in their Synapse workspace.
- Communicate with other customers’ integration runtimes. We could use this to run external code (RCE) on each customer’s integration runtimes.
- Take control of the Azure batch pool and manage all shared integration runtimes. We can run code on any instance.
Three times is right
Despite the vulnerability’s urgency, Microsoft responders were slow to understand its gravity, Pahima said. Microsoft messed up the first two patches, and it wasn’t until Tuesday that Microsoft released an update that completely fixed the bug. A timeline provided by Pahima shows how much time and work it took his company to get Microsoft through the recovery process.
- January 4 – Orca Security’s research team disclosed the vulnerability to the Microsoft Security Response Center (MSRC), along with keys and certificates that we were able to extract.
- February 19 and March 4 – MSRC has requested additional details to facilitate the investigation. Each time we responded the next day.
- End of March – MSRC has deployed the first patch.
- March 30 – Orca was able to bypass the patch† Synapse remained vulnerable.
- March 31 – Azure awards us $60,000 for our discovery.
- April 4 (90 days after disclosure) – Orca Security informs Microsoft that keys and certificates are still valid. Orca still had access to the Synapse management server.
- April 7 – Orca met with MSRC to clarify the implications of the vulnerability and the steps required to resolve it in its entirety.
- April 10 – MSRC patches the bypass and eventually revokes the Synapse management server certificate. Orca was able to bypass the patch one more time† Synapse remained vulnerable.
- April 15 – MSRC deploys the 3rd patch, which fixes the RCE and reported attack vectors.
- May 9 – Both Orca Security and MSRC publish blogs detailing the vulnerability, fixes and recommendations for customers.
- End of May – Microsoft rolls out more comprehensive tenant isolation, including ephemeral instances and scoped tokens for the shared Azure Integration Runtimes.
Silent solution, no notification
The account came 24 hours after security firm Tenable shared a similar story about Microsoft failing to transparently fix vulnerabilities that also involved Azure Synapse. In a post headlined Microsoft’s Vulnerability Practices Put Customers at Risk, Tenable chairman and CEO Amit Yoran complained about a “lack of transparency in cybersecurity” Microsoft demonstrated a day before the 90-day embargo on critical vulnerabilities was lifted. who had reported his company privately.
He wrote:
Both vulnerabilities could be exploited by anyone using the Azure Synapse service. After evaluating the situation, Microsoft decided to quietly patch one of the issues, downplaying the risk. It wasn’t until they were told we were going public that their story changed… 89 days after the vulnerability was first reported… when they personally acknowledged the severity of the vulnerability. To date, Microsoft customers have not been notified.
Tenable has technical details here.
Critics have also blamed Microsoft for failing to fix a critical Windows vulnerability called Follina until it had been actively exploited in the wild for more than seven weeks. The exploit method was first described in a 2020 academic paper. In April, Shadow Chaser Group researchers said on Twitter that they reported to Microsoft that Follina was being exploited in an ongoing malicious spam run and even included the exploit file that was used in the campaign.
For reasons Microsoft has yet to explain, the company only classified the reported behavior as a vulnerability two weeks ago and didn’t release a formal patch until Tuesday.
For its part, Microsoft is defending its practices and has provided this post detailing the work involved in resolving the Azure vulnerability found by Orca Security.
In a statement, company officials wrote: “We are deeply committed to protecting our customers and we believe that security is a team sport. We value our partnership with the security community, which enables our work to protect customers. The release of a security update is a balance between quality and timeliness, and we consider the need to minimize disruption to customers while improving protection.”