Microsoft defends “negligent” security approach that prolonged vulnerability fix for five months
The tech giant has refuted claims that its practices have left customers “in the dark”


Microsoft has issued a rare rebuttal to recent criticism of its alleged "negligent" security practices and approaches to patching security vulnerabilities.
Last week, Tenable chief executive Amit Yoran published a scathing critique of the company, suggesting that the firm’s “lack of transparency” and “irresponsible security practices” have exposed customers to undue risk.
Yoran said Microsoft has a history of deliberately keeping customers in the dark with regard to security vulnerabilities and that the company should be held accountable for its conduct.
His comments followed similar criticism of the tech giant from a US senator in the wake of a Chinese cyber espionage incident that saw emails belonging to government officials accessed by threat actors.
A key talking point within Yoran’s claims centered around the disclosure of a critical security vulnerability in Microsoft’s Power Platform on Azure. Tenable contends that it informed the tech giant of the issue in March this year, however, Yoran revealed it took several months before the firm issued just a “partial fix”.
This, he argued, represented a severe risk to customers using Microsoft services and amounted to a negligent approach from the firm.
Microsoft strongly disagreed with the claims. In a statement on Friday, the tech giant said that its approach to remediating this vulnerability was based on long-established practices.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
RELATED RESOURCE
Get started on finding an integrated, automated solution that addresses your key security concerns.
“As part of preparing security fixes, we follow an extensive process involving thorough investigation, update development, and compatibility testing,” Microsoft said.
“Ultimately, developing a security update is a delicate balance between speed and safety of applying the fix and quality of the fix.”
Microsoft said that “moving too quickly” in response to certain vulnerabilities could result in “more disruption than the risk customers bear” from a security vulnerability.
With this in mind, Microsoft’s lengthy approach to remediating this vulnerability does not amount to negligence, but rather a conservative, measured approach to appropriately patch a flaw and avoid any undue disruption for customers due to a botched fix.
“The purpose of an embargo period is to provide time for a quality fix,” the firm said. “Not all fixes are equal. Some can be completed and safely applied very quickly, others can take longer.”
The flaw uncovered by Tenable in March was officially patched on 2 August, Microsoft went on to confirm.
Similarly, an investigation into the vulnerability revealed that only a “very small subset” of customers were affected, and thus was deemed low risk.

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.
-
Should AI PCs be part of your next hardware refresh?
AI PCs are fast becoming a business staple and a surefire way to future-proof your business
By Bobby Hellard
-
Westcon-Comstor and Vectra AI launch brace of new channel initiatives
News Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
By Daniel Todd
-
Open source security in the spotlight as UK gov publishes fresh guidance
News The UK government has issued guidance on how organizations should manage their use of open source software components and mitigate supply chain risks.
By Solomon Klappholz
-
Microsoft is ending support for the Remote Desktop app – here are three alternatives you can try instead
News Microsoft has announced plans to end support for its Remote Desktop application in just over two months.
By George Fitzmaurice
-
86% of enterprise codebases contain open source vulnerabilities
News Research from Black Duck’s annual open source security report found 86% of codebases contained open source vulnerabilities.
By Solomon Klappholz
-
Flaws in a popular dev library could let hackers run malicious code in your MongoDB database
News A popular third party library of MongoDB could allow attackers to execute malicious code on company servers.
By Solomon Klappholz
-
Microsoft's huge AI spending has investors worried – now the company is changing its financial reporting to highlight successes
News The move comes as investors want more evidence that Microsoft’s AI investment will pay off
By Nicole Kobie
-
Could Python in Excel be a boon for cryptocurrency miners?
Opinion Free Python compute resource on offer via Microsoft 365 beta preview – what could possibly go wrong?
By Richard Speed
-
Ubuntu shifts to four-week update cycle
News Critical fixes will also come every two weeks, mitigating the issues involved with releasing prompt patches on the old three-week cadence
By Richard Speed
-
Microsoft Build 2023: Microsoft Fabric and oodles of Azure AI integrations announced
News Microsoft Fabric aims to greatly improve developer productivity and simplify real-time analytics
By Ross Kelly