A hot potato: Data from Google Project Zero indicates that Microsoft products have accounted for 42.5 percent of all zero-day security vulnerabilities discovered since 2014. Now a security firm is accusing the Redmond-based corporation of irresponsibility, claiming it endangers all its users.

Tenable CEO Amit Yoran criticizes Microsoft for its lax security security practices and lack of transparency regarding breaches. He asserts that the Azure platform harbors serious vulnerabilities, about which Microsoft has deliberately kept its customers in the dark. According to Yoran, Redmond has allegedly ignored Azure vulnerabilities for months, even while security specialists were aware of the existing issues.

Yoran cites a letter that Senator Ron Wyden sent to the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Justice, and the Federal Trade Commission (FTC) last week. In this letter, Wyden urged federal agencies to hold Microsoft responsible for its oversights and negligent cybersecurity practices, which inadvertently facilitated Chinese state actors in spying on United States officials.

In March 2023, Tenable explored an issue on the Azure platform that could have enabled unauthenticated attackers to access cross-tenant applications and sensitive data. Yoran explains that hackers could have manipulated this vulnerability to compromise authentication secrets. The Tenable team was able to "quickly" identify these secrets tied to a specific bank.

The bank was so concerned with the issue that Tenable notified Microsoft "immediately." However, the company didn't patch the vulnerability, deciding to implement a partial fix some 90 days later. This patch only applied to new applications loaded onto Azure, leaving older applications still at risk.

Over 120 days since Tenable's initial discovery, the bank and other organizations that adopted the Azure platform prior to the partial fix remain vulnerable. Moreover, Yoran posits that these entities likely remain uninformed about their exposure, preventing them from making informed decisions regarding potential mitigations.

"[Microsoft's behavior] is grossly irresponsible, if not blatantly negligent," Yoran said.

Security analysts are fully aware of this problem. Microsoft is presumably aware of the security gap as well, with the hope that threat actors remain ignorant. Cloud providers like Microsoft have heavily advocated for a "shared responsibility model" for cloud security. However, this model is irreparably compromised when the cloud vendor fails to alert customers about issues.

Tenable CEO contends that Microsoft's inconsistent record with security remediation endangers all Azure customers and third-party actors, adding that a "just trust us" philosophy is broken when in return customers receive scant transparency and a "culture of toxic obfuscation."