![]() And it’s even worse than we thought."Ĭontacted for comment, a Microsoft spokesperson told iTWire: "We appreciate the collaboration with the security community to responsibly disclose product issues. "How can a CISO, board of directors or executive team believe that Microsoft will do the right thing given the fact patterns and current behaviours? Microsoft’s track record puts us all at risk. ![]() "What you hear from Microsoft is 'just trust us', but what you get back is very little transparency and a culture of toxic obfuscation. "That model is irretrievably broken if your cloud vendor doesn’t notify you of issues as they arise and apply fixes openly," he said. Yoran said cloud providers had supported the shared responsibility model for a long time. We know about the issue, Microsoft knows about the issue, and hopefully threat actors don’t." That’s grossly irresponsible, if not blatantly negligent. "Microsoft claims that they will fix the issue by the end of September, four months after we notified them. "And, to the best of our knowledge, they still have no idea they are at risk and therefore can’t make an informed decision about compensating controls and other risk mitigating actions," he explained. Yoran said the bank he had referred to was still vulnerable more than four months after the Azure flaw had been reported. "Microsoft’s lack of transparency applies to breaches, irresponsible security practices and to vulnerabilities, all of which expose their customers to risks they are deliberately kept in the dark about," he added. ![]() Yoran said Microsoft products accounted for 42.5% of all zero-days found since 2014. "Tenable is continuing to work with Microsoft to co-ordinate the disclosure process, and will update this advisory with more details by 28 September 2023." The security advisory issued by Tenable about this serious vulnerability says, in part: "A researcher at Tenable has discovered an issue that enables limited, unauthorised access to cross-tenant applications and sensitive data (including but not limited to authentication secrets). They were so concerned about the seriousness and the ethics of the issue that we immediately notified Microsoft." ![]() "To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank. Yoran said a member of Tenable's security team was investigating Microsoft’s Azure platform and related services in March when he/she found an issue "which would enable an unauthenticated attacker to access cross-tenant applications and sensitive data, such as authentication secrets". When asked on Wednesday if it intended to issue any more clarifications about the Azure issue, a Microsoft spokesperson told iTWire it had no plans to do so. Only limited details about the incident have been touched on by Microsoft in three blog posts that it has released. Seasoned security professional Juan Andres Guerrero-Saade, senior director of SentinelLabs, the research wing of security firm SentinelOne, has described the way Microsoft reacted to the breach as "enraging, duplicitous, disappointing, counter-productive and, most importantly, unnecessary". The email account of US Commerce Secretary Gina Raimondo was among a slew of accounts breached at both the State and Commerce Departments by the attackers, who are claimed to be from China. Microsoft has also denied a detailed technical post about the breach by cloud security firm Wiz, despite having been involved in verifying the post. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |