Microsoft comes under blistering criticism for “grossly irresponsible” security

Microsoft has once again come under blistering criticism for the security practices of Azure and its other cloud offerings, with the CEO of security firm Tenable saying Microsoft is “grossly irresponsible” and mired in a “culture of toxic obfuscation.”

The comments from Amit Yoran, chairman and CEO of Tenable, come six days after Sen. Ron Wyden (D-Ore.) blasted Microsoft for what he said were “negligent cybersecurity practices” that enabled hackers backed by the Chinese government to steal hundreds of thousands of emails from cloud customers, including officials in the US Departments of State and Commerce. Microsoft has yet to provide key details about the mysterious breach, which involved the hackers obtaining an extraordinarily powerful encryption key granting access to a variety of its other cloud services. The company has taken pains ever since to obscure its infrastructure's role in the mass breach.

Critics pile on

On Wednesday, Yoran took to LinkedIn to castigate Microsoft for failing to fix what the company said on Monday was a “critical” issue that gives hackers unauthorized access to data and apps managed by Azure AD, a Microsoft cloud offering for managing user authentication inside large organizations. Monday’s disclosure said that the firm notified Microsoft of the problem in March and that Microsoft reported 16 weeks later that it had been fixed. Tenable researchers told Microsoft that the fix was incomplete. Microsoft set the date for providing a complete fix to September 28.

“To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank,” Yoran wrote. “They were so concerned about the seriousness and the ethics of the issue that we immediately notified Microsoft.” He continued:

Did Microsoft quickly fix the issue that could effectively lead to the breach of multiple customers' networks and services? Of course not. They took more than 90 days to implement a partial fix—and only for new applications loaded in the service.

In a statement issued seven hours after this Ars post went live, Microsoft officials wrote: “We appreciate the collaboration with the security community to responsibly disclose product issues. We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications. Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption.”

The email went on to say that the initial fix in June "mitigated the issue for the majority of customers." This vulnerability "has now been fully addressed for all customers and no customer action is required."

In a separate email, Yoran responded: "It now appears that it's either fixed, or we are blocked from testing. We don't know the fix, or mitigation, so hard to say if it's truly fixed, or Microsoft put a control in place like a firewall rule or ACL to block us. When we find vulns in other products, vendors usually inform us of the fix so we can validate it effectively. With Microsoft Azure that doesn't happen, so it's a black box, which is also part of the problem. The 'just trust us' lacks credibility when you have the current track record."

Tenable is discussing the issue in only general terms to prevent malicious hackers from learning how to actively exploit it in the wild. In an email, company officials said: “There is a vulnerability that provides access to the Azure fabric, at the very least. Once the details of this vulnerability are known, exploitation is relatively trivial. It is for this reason that we are withholding all technical details.” While Yoran’s post and Tenable’s disclosure avoid the word vulnerability, the email said the term is accurate.

The post came on the same day that security firm Sygnia disclosed a set of what it called “vectors” that could be leveraged following a successful breach of an Azure AD Connect account. The vectors allow attackers to intercept credentials via man-in-the-middle attacks or to steal cryptographic hashes of passwords by injecting malicious code into a hash syncing process. Code injection could also allow attackers to gain a persistent presence inside the account with a low probability of being detected.

“The default configuration exposes clients to the described vectors only if privileged access was gained to the AD Connect server,” Ilia Rabinovich, director of adversarial tactics at Sygnia, wrote in an email. “Therefore, a threat actor needs to perform preliminary steps before proceeding with the exploitation process of the vectors.”

Both Tenable and Sygnia said that the security vulnerabilities or vectors they disclosed weren't related to the recent attack on Microsoft cloud customers.

Serious cybersecurity defects

In last week’s letter to the heads of the Justice Department, Federal Trade Commission, and the Cybersecurity and Infrastructure Security Agency, Wyden accused Microsoft of hiding its role in the 2020 SolarWinds supply chain attack, which Kremlin hackers used to infect 18,000 customers of the network management software. A subset of those customers, including nine federal agencies and 100 organizations, received follow-on attacks that breached their networks.

The senator went on to pin blame on Microsoft for the recent mass breach of the Departments of State and Commerce and the other Azure customers. Specific failings, Wyden said, included Microsoft having “a single skeleton key that, when inevitably stolen, could be used to forge access to different customers’ private communications.” He also faulted Microsoft for waiting five years to refresh the signing key abused in the attacks, saying best practices are to rotate keys more frequently. He also criticized the company for allowing authentication tokens signed by an expired key, as was the case in the attack.

“While Microsoft’s engineers should never have deployed systems that violated such basic cybersecurity principles, these obvious flaws should have been caught by Microsoft’s internal and external security audits,” Wyden wrote. “That these flaws were not detected raises questions about what other serious cybersecurity defects these auditors also missed.”

In Wednesday’s post, Yoran voiced largely the same criticisms.

“What you hear from Microsoft is ‘just trust us,’ but what you get back is very little transparency and a culture of toxic obfuscation,” he wrote. “How can a CISO, board of directors or executive team believe that Microsoft will do the right thing given the fact patterns and current behaviors? Microsoft’s track record puts us all at risk. And it’s even worse than we thought.”

Post updated on August 3 to include comments from Microsoft and a response from Tenable's Yoran.