Guardicore's associate vice-president of Security Research, Amit Serper, said in a tweet thread that Microsoft had plenty of time to either fix or address the issue, by releasing patches or else buying all the Autodiscover top-level domains. The latter option was being pursued by the Redmond firm right now, he added.
2021 has been the year of MSFT security PR SNAFUs and this is sadly no exception. https://t.co/FVc3rilsIW— Jake Williams (@MalwareJake) September 23, 2021
On Wednesday, Guardicore released details of a flaw in an implementation of the Autodiscover protocol based on the POX XML protocol, that it said would leak Web requests to Autodiscover domains outside a user's domain, but within the same top-level domain.
In the post, Serper also mentioned that four years ago, researchers from Share Security had shared details of how Autodiscover implementations for mobile email clients could cause such leaks.
5/n these issues. My view on the way Microsoft interacts with the research community had changed dramatically following this incident and I'll have to figure out how to approach these issues in the future. Now, I'd like to get on with my life so here are my cats. pic.twitter.com/yTPhAKKl3D— Amit Serper (@0xAmit) September 23, 2021
Neither Microsoft nor Guardicore have responded to emails from iTWire seeking comment.
Serper said Microsoft had come after him personally on LinkedIn, a site owned by Microsoft, as well. "Coming after me personally is disgusting and rather shocking to be honest... especially when there are research papers, blackhat talks, and news articles that are proving that these issues were known," he commented.
Share Security presented their findings at the annual Black Hat conference.
Serper said he was scheduled to meet staff of the Microsoft Security Response Centre soon.
People will tell at you simply because they think you made them look bad. It's that simple. They'll often say it's for some other reason, but that's the real reason.— David (@hcetamd) September 23, 2021
The Guardicore blog post also had mentioned viable mitigations, he said, and these could be put in place "fairly quickly and can help to significantly remove the risk of exposure right now".
"Now, after almost 7 years, Microsoft are taking these issues seriously, buying domains and hopefully fixing these issues," Serper added.
"My view on the way Microsoft interacts with the research community had changed dramatically following this incident and I'll have to figure out how to approach these issues in the future. Now, I'd like to get on with my life so here are my cats."
And he tweeted out a picture of his cats!
In my LinkedIn post comments right now. Incredible. pic.twitter.com/bgSzYCw9mj— Amit Serper (@0xAmit) September 23, 2021