Microsoft Didn’t Patch Bug for Years, Leaving Gov Systems Exposed Because It Could Hurt Sales
I don’t even know where to go with this other than to say, unfortunately, I am not surprised. Likely not patching a known bug is probably not illegal, as is not disclosing it.
Roll back almost a decade, in 2016, whistleblower and security expert Andrew Harris was working for Microsoft. He was investigating a breach of a large tech company’s Microsoft cloud instance. The part that really annoyed Andrew was that he couldn’t figure out how they did it.
After months of work, Andrew figured out what the culprit was. This Microsoft product was used by millions of people and could be used by hackers to masquerade as a legitimate employee, without tripping any alarms. It was a Microsoft product (ADFS) and it could allow hackers to compromise the Microsoft cloud or any other cloud provider.
While Andrew was worried about the impact on national security caused by this bug, Microsoft saw it differently. NOTE: in fairness, this is probably no different than a lot of decisions companies make every day, but the scale of this MAKES it different.
Microsoft was worried that if news of this bug got out, Microsoft might lose a multi-billion dollar government cloud deal. They could also lose the race to dominate the cloud computing market.
For years he tried to convince Microsoft to fix the bug, but Microsoft was, apparently, not worried.
He did alert some of the company’s most sensitive customers like the New York Police Department.
Have you figured out what happened, yet?
A few months later, the SolarWinds attack happened. SolarWinds was one of the worst losses of sensitive data in US government history because of the volume of data stolen by Russian hackers.
Microsoft told Congress in 2021 that it was blameless for the SolarWinds attack and instead blamed customers’ poor security practices. While their customer’s security practices contributed to the problem, the hackers got in, apparently, due to the bug.
The Federal Cyber Safety Review Board recently crucified Microsoft’s security practices and this only makes it worse. On the other hand, what doesn’t kill you makes you stronger, so who knows.
The timing of the whistleblower’s story was likely intentional.
Microsoft’s president Brad Smith testified today in front of the House Homeland Security Committee. I would guess they might have a few more questions for good old Brad boy in light of this expose.
It is amazing. In light of their crucifixion by the CSRB and the whistleblower report, Microsoft now says the company’s top priority is security, “above all else”.
Microsoft’s CEO, Satya Nadella, told employees that if you are faced with a tradeoff between security and another priority, your answer is clear: do security.
We will see if that actually pans out.
Nick DiCola, one of the whistleblower’s former bosses, who no longer works for Microsoft said “This is part of the problem overall with the industry.” Publicly traded tech giants “are beholden to the share price, not to doing what’s right for the customer all the time. That’s just a reality of capitalism. You’re never going to change that in a public company because at the end of the day, they want the shareholder value to go up”.
The source article, in ProPublica, goes on for a long time with a lot of detail.
This situation is eerily similar to the one from 2003 that caused the famous “Gates Memo”, where Bill Gates had the entire company stand down for security training.
Since product manager’s compensation is tied to releasing bright shiny new products (this is not a Microsoft thing, this is an industry thing), they have little to no motivation to fix problems.
Microsoft’s Security Response Center (MSRC), which is responsible for the overall security response of the company gets hundreds to thousands of reports each and every month.
Again, this is not a Microsoft problem. Last week a Google database with hundreds of thousands of security issues was leaked.
Because of the sheer volume of reports, the MSRC is forced to try to figure out a justification to get to the end game of “no, we don’t need to fix this”.
While developing a long term fix that would not break everything was going to be hard and take time, Andrew had a quick fix – disable single sign on. From the company’s marketing view, this would be a disaster, so they dismissed it as an option. Microsoft worried that this would really damage their reputation with that multi-billion dollar customer, the federal government.
Soon after Andrew had his conversation with Microsoft execs that turned down his request to turn off single sign on, researchers at CyberArk wrote a blog post about the flaw. The proverbial cat was now out of the bag. They called the bug Golden SAML. Microsoft’s president said when this was published, that was the moment the company learned of the issue. Said more accurately, this was the moment that the company could no longer deny this was an issue.
In fairness, even some of the researchers that CyberArk privately shared their findings with asked what the big deal was. CyberArk reached out to Microsoft Israel and got a similar no big deal response. In response to that, they published the bug announcement. Of course, it didn’t hurt that CyberArk’s software blunted the attack vector.
After the report, Andrew went back to Microsoft execs saying the problem was even more urgent, because the report included code to demonstrate the attack was real. Again, Microsoft ignored him.
While some people are not fans of ProPublica, if their report is even halfway accurate and we will probably learn a little bit more after listening to Brad Smith’s nearly three hours of testimony today, Microsoft has some work ahead of them – to fix the culture, fix the products and fix their reputation. Read the entire ProPublica article here.