Microsoft called out for ‘blatantly negligent’ cybersecurity practices

Microsoft is currently facing a wave of criticism following the recent attack on Azure. In a thought-provoking LinkedIn post, CEO of Tenable, Amit Yoran, goes so far as to claim that Microsoft’s track record in cybersecurity is even worse than anticipated — and he has concrete evidence to support this assertion.

On July 12th, Microsoft disclosed a significant breach that targeted its Azure platform. This breach was traced back to Storm-0558, a Chinese hacking group. The attack had a far-reaching impact, affecting approximately 25 organizations and resulting in the theft of sensitive emails belonging to US government officials. Recently, Senator Ron Wyden (D-OR) addressed a letter to the US Department of Justice, urging them to hold Microsoft accountable for their negligence in cybersecurity practices.

Yoran adds weight to Senator Wyden’s arguments by demonstrating Microsoft’s repeated pattern of negligent cybersecurity practices. According to him, this pattern has enabled Chinese hackers to conduct surveillance on the US government. Tenable also discovered an additional cybersecurity flaw in Microsoft Azure and raised concerns about the company’s slow response in addressing it.

Initially discovered by Tenable in March, this flaw had the potential to grant unauthorized access to sensitive data, including that of a bank. Yoran alleges that Microsoft took more than 90 days to implement a partial fix after being notified by Tenable. Furthermore, the fix only applies to new applications loaded into the service, leaving organizations that had launched the service before the fix vulnerable and likely unaware of the risks.

Microsoft plans to address this issue by the end of September, but Yoran condemns the delayed response as “grossly irresponsible if not blatantly negligent.” He also references data from Google’s Project Zero, which indicates that Microsoft products account for 42.5 percent of all discovered zero-day vulnerabilities since 2014.

Yoran voices his concerns about Microsoft’s lack of transparency, stating that their assertions of trust are met with minimal transparency and a culture of obfuscation. This raises doubts among CISOs, board members, and executives, questioning whether Microsoft will act responsibly given their current behavior and track record.

In response to Yoran’s critique, Microsoft senior director Jeff Jones issued a statement to The Verge via email:

We appreciate the collaboration with the security community to responsibly disclose product issues. We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications. Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption.