![]() Sebree said his email and researcher portal requests for status updates went unanswered. James Sebree, principal research engineer at Tenable, detailed the interaction in a separate blog post Monday, in which he cited a "major communications disconnect" between Microsoft Security Response Center and the Synapse Analytics development team. "Without timely and detailed disclosures, customers have no idea if they were, or are, vulnerable to attack … or if they fell victim to attack prior to a vulnerability being patched," Yoran wrote. Workarounds were not issued until after active exploitation. While Microsoft was notified of the flaw in April, the company determined it was not a security-related issue. One prime example of downplaying security incidents occurred in May, when a Microsoft zero-day vulnerability, dubbed Follina by independent security researcher Kevin Beaumont, was exploited in the wild. ![]() He noted other vendors including Orca Security, Wiz and Fortinet had similar experiences with the tech giant. Yoran referred to the issue of silent patching as a "repeated pattern of behavior," particularly with Microsoft. "It was only after being told that we were going to go public, that their story changed … 89 days after the initial vulnerability notification … when they privately acknowledged the severity of the security issue."Ī comprehensive disclosure timeline can be critical for enterprise security. "After evaluating the situation, Microsoft decided to silently patch one of the problems, downplaying the risk," Yoran wrote. He referred to Microsoft as a fox guarding the henhouse, and said that to date, Microsoft customers have not been notified of the two bugs that Tenable ranked as critical. Tenable CEO Amit Yoran personally addressed the transparency concerns in a separate statement on LinkedIn on Monday. Additionally, Tenable said Microsoft declined a bounty or acknowledgment of the finding. While Tenable said both vendors initially appeared to agree on the critical severity of the Azure vulnerabilities, Microsoft changed classification from a security issue to a "best practice recommendation" in the final days of the disclosure process, according to the blog. "Customers are entirely beholden to the cloud providers to fix reported issues." "These flaws and our researchers' interactions with Microsoft demonstrate the difficulties involved in addressing security-related issues in cloud environments," the blog post read. More importantly, however, the security vendor said it speaks to a broader issue within the CVE system, which does not include cloud flaws. Tenable accused Microsoft of a communication disconnect and of "downplaying" the severity of the two Azure vulnerabilities.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |