IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft silent patches called “a grossly irresponsible policy”

Cyber security company Tenable said that the tech giant is putting customers at risk after it found two bugs in Microsoft Azure analytics software, one of which users weren’t made aware of

Cyber security company Tenable Security said it found two bugs in Microsoft Azure analytics software and complained the tech giant didn’t follow industry standards in declaring the patch to other users.

Tenable claimed that Microsoft patched one bug in its Synapse Analytics platform without telling users, and left the other unpatched, according to the company’s blog. Synapse Analytics is a machine learning and data aggregation platform that runs on Apache Spark with limited permissions.

The security company found a privilege escalation flaw that allowed a user to escalate privileges to that of the root user within the context of a Spark VM. The other flaw allowed a user to poison the hosts file on all nodes in their Spark pool which allows a user to redirect subsets of traffic and snoop on services users generally don’t have access to. The full privilege escalation flaw has been addressed, said Tenable, but the hosts file poisoning flaw remained unpatched when the blog post was published.

Tenable underlined that many of the keys, secrets, and services accessible via these attacks have traditionally allowed further lateral movement and potential compromise of Microsoft-owned infrastructure. This could lead to a compromise of other customers’ data, it added. However, for Synapse Analytics, root user access is limited to their own Spark pool so access to resources outside of this would require additional vulnerabilities to be chained and exploited.

The cyber security company rated the issue as critical severity, although said that Microsoft considered the issue a low severity defence-in-depth improvement. 

Tenable complained that there was some kind of disconnect between the Microsoft Security Response Center (MSRC) and the development team behind Synapse Analytics. The company had to reach out via Twitter to get a response despite requesting status updates via emails and the researcher portal.

“During the disclosure process, Microsoft representatives initially seemed to agree that these were critical issues,” detailed Tenable’s blog post. “A patch for the privilege escalation issue was developed and implemented without further information or clarification being required from Tenable Research. This patch was also made silently and no notification was provided to Tenable. We had to discover this information for ourselves.”

The cyber security company added that MSRC began attempting to downplay the issue and classified it as a best practice recommendation instead of a security issue. It wasn’t until Tenable notified MSRC of its intent to publish its findings that the Microsoft teams acknowledged that issues were security related. 

“It was only after being told that we were going to go public, that their story changed…89 days after the initial vulnerability notification…when they privately acknowledged the severity of the security issue,” said Amit Yoran, chairman and CEO of Tenable, in a LinkedIn post. “To date, Microsoft customers have not been notified.”

Related Resource

CIAM buyer’s guide

Finding the right CIAM solution to capture & retain customers, fuel business growth and keep customers safe

Whitepaper cover with title and graphic made up of turquoise and grey pixelated shapesFree Download

Yoran called it a repeated pattern of behaviour, pointing to how other security companies have written about their vulnerability notification interactions with Microsoft, and the tech giant’s dismissive attitude about the risk that vulnerabilities present to their customers. He highlighted how Orca Security, Wiz, Positive Security and Fortinet published prime examples, with the latter covering the security disaster known as “Follina”. 

“For an IT infrastructure provider or a cloud service provider that is not being transparent, the stakes are raised exponentially,” said Yoran. “Without timely and detailed disclosures, customers have no idea if they were, or are, vulnerable to attack…or if they fell victim to attack prior to a vulnerability being patched. And not notifying customers denies them the opportunity to look for evidence that they were or were not compromised, a grossly irresponsible policy.”

“We addressed the issues that Tenable reported to us and no customer action is required,” a Microsoft spokesperson told IT Pro.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Microsoft blocking Tutanota users from Teams registration, claims fix unfeasible
Business operations

Microsoft blocking Tutanota users from Teams registration, claims fix unfeasible

8 Aug 2022
Microsoft wins five-year digital transformation deal with Australia’s largest telco
digital transformation

Microsoft wins five-year digital transformation deal with Australia’s largest telco

26 Jul 2022
Slack Connect vs Microsoft Teams Connect: Better than email?
collaboration

Slack Connect vs Microsoft Teams Connect: Better than email?

20 Jul 2022
Microsoft announces simulator for autonomous aircraft development
Cloud

Microsoft announces simulator for autonomous aircraft development

20 Jul 2022

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022