Alerts, Best Practices, Microsoft, Security Practices

Security Vendors Say Azure Takes Months to Fix Bugs

June 14, 2022 CyberCecurity Leave a comment

The cloud is not magic. Nor does it fix all vulnerabilities. Cases in point.

Two security vendors are accusing Microsoft of unnecessarily putting customers’ data at risk.

The vendors, Orca Security and Tenable, are not bit players with a grudge, so you have to, at least, listen to them. According to the source:

In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure’s Synapse Analytics that he discovered in January.
And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse.
https://www.theregister.com/2022/06/14/security_azure_patch/

Orca’s bug starts in early January and had a score of 7.8. The bug allowed a remote hacker to bypass the separation between tenants and access and control other customers’ workspaces, including stealing Azure keys, API tokens and passwords.

While Microsoft patched it two months later, Orca told Microsoft that the patch didn’t work.

Microsoft repatched the bug on April 10, but Orca still said, nice try.

Then the two got into a war of blogs. Microsoft said it was blog-fixed and Orca said it was blog-broke.

Several patches later, Orca is about to publish a technical analysis of the vulnerability. Now Microsoft says they really, really fixed it this time. Orca says that they have not had time yet to break these new fixes.

Moving on to Tenable, their CEO wrote a blog post that details Microsoft’s response to a privilege escalation bug that could be exploited by anyone. Microsoft, says Tenable, privately admitted the bugs were serious and silently patched one of the bugs. 89 days after Tenable disclosed them and after they told Microsoft that they were going public with the details.

Other security companies – Wiz, Positive Security and Fortinet had similar tales.

To add pressure on Microsoft, Orca said that they found bugs in AWS Glue and AWS Cloud Formation and Amazon fixed them in 25 hours.

The current hand-shake agreement is that vendors have 90 days before researchers go public.

That timeline pre-dated AQS and Azure. Vendors do not have to package and test 100 different configurations to fix their own systems, so they ought to be able to do it more quickly.

Amazon is dealing with a much simpler and newer code base, which works in their favor. Microsoft, at some point, it going to have to deal with the backward compatibility dragon that they have been trying to ignore for thirty years.

In the meantime, the customers – you and me – get to deal with a less than perfect system.