The CEO of cybersecurity company Tenable, Amit Yoran, has strongly criticized Microsoft’s practices in addressing high-severity vulnerabilities and dangerous flaws. In a post on the Microsoft-owned platform Linked-IN, Amit Yoran mentioned that Microsoft has a history of being non-transparent about breaches and vulnerabilities, leaving their customers at risk.
Tenable identified a significant flaw in the Azure platform in March 2023 that could allow malicious actors to quickly and easily find authentication secrets. To highlight the importance, Yoran said that his team discovered secrets to a bank and immediately informed Microsoft about it.
While Microsoft confirmed the findings, it took about three months for Microsoft to release a partial patch that only worked for new applications. This means that organizations that are using the service before the fix, including the bank mentioned earlier, remained vulnerable and unaware of the risk.
Yoran criticized Microsoft for promising a fix by the end of September, four months after being informed as highly irresponsible. He also said that the shared responsibility model of cloud providers should promptly inform users of critical issues and openly apply fixes.
His post generated a debate on LinkedIn, with almost a hundred comments. Many people agreed with Yoran’s concerns, expressing skepticism about Microsoft’s unchanged behavior over the years. Microsoft did not respond to these accusations.