In context: Microsoft's approach to software security has taken a beating lately. In addition to being late to patch actively exploited vulnerabilities, the company has been criticized for not being transparent about these risks and being "irresponsible" in its handling of them. Now, researchers are blaming Redmond devs for one of the biggest hacks ever in the UK.
On Tuesday, the United Kingdom Electoral Commission (UKEC) announced that it had suffered one of the worst security breaches ever in the UK. The hack exposed the personal data of as many as 40 million registered voters, including full names, street and email addresses, and any other information stored by election officials.
The UKEC discovered the intrusion last October. However, an investigation revealed that suspicious activity first occurred in August 2021. So the records were exposed for nearly 14 months before it remediated the situation.
While the UKEC did not reveal the cause of the breach, Ars Technica notes that independent research conducted by Zack Whittaker and Keven Beaumont found that the hack was likely an exploit of the Microsoft Exchange Server zero-day informally known as "ProxyNotShell," which Microsoft appeared to patch in October 2022. However, as they discovered, that was not the case.
The vulnerabilities, CVE-2022-41080 and CVE-2022-41082, created a remote code execution chain first reported to Microsoft as being actively exploited in September 2022. Redmond immediately issued guidance for mitigating the security weaknesses. Unfortunately, Beaumont claims bad actors easily bypassed Redmond's mitigation measures. Worse yet, Exchange developers didn't fully patch the hole for months.
"At the time Microsoft released temporary mitigations rather than a security patch – it took until November 2022 for a security update to fully resolve the problem," Beaumont wrote. "This was a significant delay. In the meantime, the security mitigations Microsoft provided were repeatedly bypassed."
Beaumont's and Whittaker's criticisms are not the only flak Microsoft has received over slow zero-day patching and lack of transparency regarding cyber risks. Last week, Tenable CEO Amit Yoran called the tech giant "grossly irresponsible" and said its security practices are "worse than you think." Last month, the company finally got around to patching six actively exploited zero-day vulnerabilities, one of which was reported way back in May 2022. And in March, it fixed two zero-days, but not before one was found and used by state-sponsored Russian hackers.
However, let's be fair. If all information is accurate, the UKEC first discovered suspicious activity in August 2021, and Redmond developers were informed of the problem in September 2022. So for over a year, there was an open window in Exchange that hackers could have exploited. Does that excuse Redmond's poor mitigation guidance or lack of action until months later? No, but taking full blame for a hack that may have occurred well before Microsoft was notified of the flaw might be somewhat unfair.
