Tenable CEO Amit Yoran accused Microsoft of negligence in addressing a critical vulnerability affecting its Azure platform in a new LinkedIn post. Yoran’s post, entitled “Microsoft…The Truth is Even Worse Than You Think” accuses Microsoft of continuously slow-rolling vulnerability disclosures, remediation, and lack of transparency.
A series of Azure security flaws, disclosed to Microsoft on March 30, allowed China-based hackers known as “Storm-0558” to access sensitive information, including the email accounts of members of the Biden Administration, the U.S. State Department, and the U.S. Commerce Department.
Azure vulnerabilities won’t be fully remediated until September
According to Yoran, Microsoft acknowledged the issue the same day it was disclosed but has yet to fully patch the vulnerability. Tenable has asked for updates on the status of the fix but has been told that it is still in progress.
Microsoft now estimates that it will not fully resolve the identified Azure vulnerabilities until September 28.
Yoran expressed concern that Microsoft’s slow response to the vulnerability could have serious consequences. “The longer this vulnerability goes unpatched, the greater the risk that it will be exploited by attackers,” he wrote. “This could lead to widespread data breaches and other serious security incidents.”
Yoran also criticized Microsoft’s culture of “toxic obfuscation” when addressing security threats. He said that Microsoft has a history of making it difficult for security researchers to disclose vulnerabilities and that this has contributed to the slow pace of remediation.
In a damning summarization, Yoran describes Microsoft as “putting us all at risk.”
“How can a CISO, board of directors or executive team believe that Microsoft will do the right thing given the fact patterns and current behaviors? Microsoft’s track record puts us all at risk. And it’s even worse than we thought,” Yoran concludes.
Microsoft has not yet responded to Yoran’s accusations.
