Blame is mounting on Microsoft for what critics say is a lack of transparency and adequate speed when responding to reports of vulnerabilities threatening its customers, security professionals said.
Microsoft’s latest failing came to light on Tuesday in a post that showed Microsoft taking five months and three patches before successfully fixing a critical vulnerability in Azure. Orca Security first informed Microsoft in early January of the flaw, which resided in the Synapse Analytics component of the cloud service and also affected the Azure Data Factory. It gave anyone with an Azure account the ability to access the resources of other customers.
From there, Orca Security researcher Tzah Pahima said, an attacker could:
- Gain authorization inside other customer accounts while acting as their Synapse workspace. We could have accessed even more resources inside a customer’s account depending on the configuration.
- Leak credentials customers stored in their Synapse workspace.
- Communicate with other customers’ integration runtimes. We could leverage this to run remote code (RCE) on any customer’s integration runtimes.
- Take control of the Azure batch pool managing all of the shared integration runtimes. We could run code on every instance.
Third time’s the charm
Despite the urgency of the vulnerability, Microsoft responders were slow to grasp its severity, Pahima said. Microsoft botched the first two patches, and it wasn’t until Tuesday that Microsoft issued an update that entirely fixed the flaw. A timeline Pahima provided shows just how much time and work it took his company to shepherd Microsoft through the remediation process.
- January 4 – The Orca Security research team disclosed the vulnerability to the Microsoft Security Response Center (MSRC), along with keys and certificates we were able to extract.
- February 19 & March 4 – MSRC requested additional details to aid its investigation. Each time, we responded the next day.
- Late March – MSRC deployed the initial patch.
- March 30 – Orca was able to bypass the patch. Synapse remained vulnerable.
- March 31 – Azure awards us $60,000 for our discovery.
- April 4 (90 days after disclosure) – Orca Security notifies Microsoft that keys and certificates are still valid. Orca still had Synapse management server access.
- April 7 – Orca met with MSRC to clarify the implications of the vulnerability and the required steps to fix it in its entirety.
- April 10 – MSRC patches the bypass, and finally revokes the Synapse management server certificate. Orca was able to bypass the patch yet again. Synapse remained vulnerable.
- April 15 – MSRC deploys the 3rd patch, fixing the RCE and reported attack vectors.
- May 9 – Both Orca Security and MSRC publish blogs outlining the vulnerability, mitigations, and recommendations for customers.
- End of May – Microsoft deploys more comprehensive tenant isolation including ephemeral instances and scoped tokens for the shared Azure Integration Runtimes.
Silent fix, no notification
The account came 24 hours after security firm Tenable related a similar tale of Microsoft failing to transparently fix vulnerabilities that also involved Azure Synapse. In a post headlined Microsoft’s Vulnerability Practices Put Customers At Risk, Tenable Chairman and CEO Amit Yoran complained of a “lack of transparency in cybersecurity” Microsoft showed one day before the 90-day embargo lifted on critical vulnerabilities his company had privately reported.
He wrote:
Both of these vulnerabilities were exploitable by anyone using the Azure Synapse service. After evaluating the situation, Microsoft decided to silently patch one of the problems, downplaying the risk. It was only after being told that we were going to go public, that their story changed… 89 days after the initial vulnerability notification…when they privately acknowledged the severity of the security issue. To date, Microsoft customers have not been notified.
Tenable has technical details here.
Critics have also called out Microsoft for failing to fix a critical Windows vulnerability called Follina until it had been actively exploited in the wild for more than seven weeks. The exploit method was first described in a 2020 academic paper. Then in April, researchers from Shadow Chaser Group said on Twitter that they had reported to Microsoft that Follina was being exploited in an ongoing malicious spam run and even included the exploit file used in the campaign.
For reasons Microsoft has yet to explain, the company didn’t declare the reported behavior as a vulnerability until two weeks ago and didn’t release a formal patch until Tuesday.
For its part, Microsoft is defending its practices and has provided this post detailing the work involved in fixing the Azure vulnerability found by Orca Security.
In a statement, company officials wrote: “We are deeply committed to protecting our customers and we believe security is a team sport. We appreciate our partnerships with the security community, which enables our work to protect customers. The release of a security update is a balance between quality and timeliness, and we consider the need to minimize customer disruptions while improving protection.”
