Microsoft has explained why it seemingly took its time to fix a flaw reported to it by infosec intelligence vendor Tenable.
As reported by The Register, in March Tenable reported a flaw in Microsoft’s Power Platform. On July 10, Tenable again contacted Microsoft to reports its findings on what it regarded as a dangerously incomplete fix.
Then last week Tenable CEO Amit Yoran gave Microsoft a lashing on LinkedIn over its handling of the flaw, arguing that Microsoft’s response was too little, too late, because it did not completely address the issue.
Yoran labelled Microsoft’s response “grossly irresponsible, if not blatantly negligent.”
Then he kept punching. “Cloud providers have long espoused the shared responsibility model,” he wrote. “That model is irretrievably broken if your cloud vendor doesn’t notify you of issues as they arise and apply fixes openly.”
On Friday, Microsoft responded with a post explaining that it investigated Tenable’s July 10 report and found “a very small subset” of code and customers were at risk. The software colossus fixed the flaw by August 2.
Customers were notified in the Microsoft 365 Admin Center.
Microsoft’s post then justifies its two-phase response by stating: “As part of preparing security fixes, we follow an extensive process involving thorough investigation, update development, and compatibility testing. Ultimately, developing a security update is a delicate balance between speed and safety of applying the fix and quality of the fix.”
As explained by the Microsoft Security Response Center, “Moving too quickly could result in more customer disruption (in terms of availability) than the risk customers bear from an embargoed security vulnerability.”
“The purpose of an embargo period is to provide time for a quality fix. Not all fixes are equal. Some can be completed and safely applied very quickly, others can take longer.”
Regardless of the time required to build a fix, Microsoft’s post states, “we also start to monitor any reported security vulnerability of active exploitation and move swiftly if we see any active exploit.”
Which appears to be why the flaw Tenable spotted wasn’t completely quashed.
“As both a service provider and a security company, Microsoft appreciates being part of an ecosystem of organizations focused on protecting customers as the highest priority over all other goals,” reads Microsoft’s missive.
The post continues: “Microsoft also appreciates the security community’s research and disclosure of vulnerabilities,” adding “Responsible research and mitigation are critical for safeguarding our customers and this comes with a shared responsibility to be factual, understand processes and work together.”
But Tenable clearly didn’t understand Microsoft’s process – or think it appropriate.
“Any deviation from this process puts customers and our communities at undue security risk,” Microsoft’s post continues. It concludes with an assertion that the tech titan’s “top priority is to protect and be transparent with our customers and we remain steadfast in our mission.”
In this case, by being transparent in the web-based Microsoft 365 Admin Center.
Tenable’s Yoran appears not to have responded to Redmond’s riposte at the time of writing. ®