Microsoft defends “negligent” security approach that prolonged vulnerability fix for five months
The tech giant has refuted claims that its practices have left customers “in the dark”
Microsoft has issued a rare rebuttal to recent criticism of its alleged "negligent" security practices and approaches to patching security vulnerabilities.
Last week, Tenable chief executive Amit Yoran published a scathing critique of the company, suggesting that the firm’s “lack of transparency” and “irresponsible security practices” have exposed customers to undue risk.
Yoran said Microsoft has a history of deliberately keeping customers in the dark with regard to security vulnerabilities and that the company should be held accountable for its conduct.
His comments followed similar criticism of the tech giant from a US senator in the wake of a Chinese cyber espionage incident that saw emails belonging to government officials accessed by threat actors.
A key talking point within Yoran’s claims centered around the disclosure of a critical security vulnerability in Microsoft’s Power Platform on Azure. Tenable contends that it informed the tech giant of the issue in March this year, however, Yoran revealed it took several months before the firm issued just a “partial fix”.
This, he argued, represented a severe risk to customers using Microsoft services and amounted to a negligent approach from the firm.
Microsoft strongly disagreed with the claims. In a statement on Friday, the tech giant said that its approach to remediating this vulnerability was based on long-established practices.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Get started on finding an integrated, automated solution that addresses your key security concerns.
“As part of preparing security fixes, we follow an extensive process involving thorough investigation, update development, and compatibility testing,” Microsoft said.
“Ultimately, developing a security update is a delicate balance between speed and safety of applying the fix and quality of the fix.”
Microsoft said that “moving too quickly” in response to certain vulnerabilities could result in “more disruption than the risk customers bear” from a security vulnerability.
With this in mind, Microsoft’s lengthy approach to remediating this vulnerability does not amount to negligence, but rather a conservative, measured approach to appropriately patch a flaw and avoid any undue disruption for customers due to a botched fix.
“The purpose of an embargo period is to provide time for a quality fix,” the firm said. “Not all fixes are equal. Some can be completed and safely applied very quickly, others can take longer.”
The flaw uncovered by Tenable in March was officially patched on 2 August, Microsoft went on to confirm.
Similarly, an investigation into the vulnerability revealed that only a “very small subset” of customers were affected, and thus was deemed low risk.
Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.