Several cybersecurity firm have criticized Microsoft for what they claim are slow and opaque patching practices.
Orca Security and Tenable have both been quite vocal on how Microsoft handles high-severity vulnerabilities. The former says it has been trying to get Microsoft to fix a critical issue in Azure’s Synapse Analytics since early January 2022, and after a lot of back and forth, as well as two failed attempts, the company finally managed to provide a patch for user endpoints (opens in new tab), properly, only on April 15.
Tenable has also voiced its dissatisfaction with how the Synapse issue was resolved, the publication further found. In a LinkedIn post (opens in new tab), the company’s Chairman and CEO, Amit Yoran, said there’s a “lack of transparency” Microsoft showed, just a day before the embargo on privately disclosed vulnerabilities lifts.
Slow Follina patch
“Both of these vulnerabilities were exploitable by anyone using the Azure Synapse service. After evaluating the situation, Microsoft decided to silently patch (opens in new tab) one of the problems, downplaying the risk,” Yoran said. “It was only after being told that we were going to go public, that their story changed… 89 days after the initial vulnerability notification…when they privately acknowledged the severity of the security (opens in new tab) issue. To date, Microsoft customers have not been notified.”
Microsoft was also criticized for the way it handled the Follina vulnerability, which was apparently only patched after being “actively exploited in the wild for more than seven weeks”.
Researchers from Shadow Chaser Group apparently reached out to Microsoft in April, to report on Follina being used in the wild, but the company didn’t declare it as a vulnerability (opens in new tab) until two weeks ago, for unknown reasons.
Slow or not, Microsoft did go into detail on how it fixed the Azure flaw: “We are deeply committed to protecting our customers and we believe security is a team sport. We appreciate our partnerships with the security community, which enables our work to protect customers. The release of a security update is a balance between quality and timeliness, and we consider the need to minimize customer disruptions while improving protection.”