Security Market Segment LS
Tuesday, 14 June 2022 11:09

Tenable boss accuses Microsoft of putting Azure customer safety at risk Featured

By
Tenable boss accuses Microsoft of putting Azure customer safety at risk Pixabay

Microsoft has been accused of a lack of transparency in its vulnerability practices, with the security outfit Tenable claiming these practices put the software giant's customers at risk.

Tenable chairman and chief executive Amit Yoran said in a blog post that his company had discovered two flaws, one of which it considered critical, in Microsoft's Azure platform, both in the Synapse Analytics part of Azure.

Synapse Analytics is used for machine learning, data aggregation and similar computational tasks.

One of these flaws was a privilege escalation flaw with the context of a Spark VM. The second allowed the poisoning of the hosts file on all nodes in a Spark pool.

Yoran wrote that Microsoft decided to silently patch the privilege escalation flaw, while downplaying the risk. "It was only after being told that we were going to go public, that their story changed… 89 days after the initial vulnerability notification… when they privately acknowledged the severity of the security issue. To date, Microsoft customers have not been notified," he added.

Tenable researcher James Sebree wrote that the company had rated the issue as a critical severity, basing its reasoning on the concept of the Spark VM itself.

He said: "During the disclosure process, Microsoft representatives initially seemed to agree that these were critical issues. A patch for the privilege escalation issue was developed and implemented without further information or clarification being required from Tenable Research.

"This patch was also made silently and no notification was provided to Tenable. We had to discover this information for ourselves.

"During the final weeks of the disclosure process, MSRC [Microsoft Security Research Centre] began attempting to downplay this issue and classified it as a 'best practice recommendation' rather than a security issue. Their team stated the following (typos are Microsoft’s): '[W]e do not consider this to be a important severity security issue but rather a better practice'.”

Yoran said this was not an isolated case. "This is a repeated pattern of behaviour. Several security companies have written about their vulnerability notification interactions with Microsoft, and Microsoft’s dismissive attitude about the risk that vulnerabilities present to their customers," he said.

"For an IT infrastructure provider or a cloud service provider that is not being transparent, the stakes are raised exponentially.

"Without timely and detailed disclosures, customers have no idea if they were, or are, vulnerable to attack… or if they fell victim to attack prior to a vulnerability being patched.

"And not notifying customers denies them the opportunity to look for evidence that they were or were not compromised, a grossly irresponsible policy."

Yoran pointed to the case of FireEye/Mandiant which provided what he said was "an exemplary model for responsible disclosure when the company disclosed their breach, even prior to the forensic evidence resulting in the SolarWinds revelations of 2020".

He said the answer did not lie in just asking vendors to do better. "Holding a cloud or technology provider to a standard of care and transparency is essential. Independent audit and assessment of IT infrastructure and cloud service providers should be mandatory.

"The fox is guarding the henhouse. Trust but verify. The simple lessons we have been taught since elementary school remain applicable in cyber."

Read 2363 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here




WOMEN IN PROCESS MINING VIRTUAL EVENT

Enterprises are looking to integrate AI into process mining to future proof their operations.

The recently formed Australian chapter of Women in Process Mining (WIPM) is hosting a Zoom event from 1pm to 2pm on November 14 on the topic Using AI for Process Optimisation.

WIPM is a community designed for women in process mining; to strengthen their leadership, magnify their influence, and pave the way for process mining together.

The event is being hosted by Chapter Leads Kanika Goel, PhD, Claudia M., and Susana Zavaleta, with special guest speaker Jack Basley from global process mining leader Celonis

Register for the Zoom event now!

REGISTER!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

BACK TO HOME PAGE
Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous

Subscribe to Newsletter

*  Enter the security code shown: img0

WEBINARS & EVENTS

CYBERSECURITY

PEOPLE MOVES

GUEST ARTICLES

Guest Opinion

ITWIRETV & INTERVIEWS

RESEARCH & CASE STUDIES

Channel News

Comments