Microsoft has come under fire by several cybersecurity firms over how the company is handling high-severity vulnerabilities.
According to TechRadar (via Ars Technica), Orca Security and Tenable say Microsoft is so slow and inadequate at releasing security patches for detected vulnerabilities, which some of them might be high-severity.
As per the report, one of these firms has been trying to inform Microsoft about a critical issue in Azure’s Synapse Analytics. They did this in early January 2022, and Microsoft released a security patch for user endpoints on April 15. Also, making Microsoft solve the issue has not been a straightforward process, and they’ve come up with many failed attempts.
Cybersecurity firms believe Microsoft is not transparent and fast at solving high-severity vulnerabilities
Tenable Chairman and CEO Amit Yoran said Microsoft failed to manage the Synapse issue properly. Also, he believes the company is suffering from a “lack of transparency.”
“Both of these vulnerabilities were exploitable by anyone using the Azure Synapse service. After evaluating the situation, Microsoft decided to silently patch one of the problems, downplaying the risk,” Yoran noted. “It was only after being told that we were going to go public, that their story changed… 89 days after the initial vulnerability notification…when they privately acknowledged the severity of the security issue. To date, Microsoft customers have not been notified.”
How Microsoft handled the Follina vulnerability also made cybersecurity experts upset. They say the company decided to release a patch after the issue was “actively exploited in the wild for more than seven weeks.”
Researchers from Shadow Chaser Group informed Microsoft about the scope of Follina vulnerability expansion in April. However, Microsoft didn’t announce it as a vulnerability until two weeks ago.
In response to allegations, Microsoft said, “We are deeply committed to protecting our customers, and we believe security is a team sport.” Also, the company noted that “The release of a security update is a balance between quality and timeliness, and we consider the need to minimize customer disruptions while improving protection.”