Microsoft whistleblower says firm ignored early warnings about flaw exploited in SolarWinds breach

A former Microsoft security professional has claimed his warnings about a vulnerability later exploited in the SolarWinds attacks were dismissed by the tech giant.

Andrew Harris worked at Microsoft for six years between 2014 and 2020 as both a security architect and principal product manager.

According to a ProPublica report, Harris first spotted the flaw, labeled Golden SAML, in 2016 when investigating a security intrusion affecting the Active Directory Federation Services (ADFS), a Microsot single sign-on (SSO) feature for applications located across organizational boundaries.

Used by millions of people to log into their work computers, the ADFS flaw allowed attackers to disguise themselves as legitimate employees and gain access to sensitive information in the environment while remaining undetected.

Harris noted the SAML attack vector was unique in that it left a minimal digital trace, thus making it particularly difficult to detect and track.

He added that anyone using the software was potentially exposed to the vulnerability, despite whether they used Microsoft or another cloud provider, and was particularly concerned about potential attacks on the federal government.

Months after Harris left Microsoft in August 2020 for cyber security vendor CrowdStrike, the SolarWinds breach that saw Russian threat actors infect the SolarWinds Orion network monitoring tool with malicious code was discovered.

The infected Orion software was subsequently downloaded by thousands of organizations, including those in the US government, triggering a major supply chain incident that Bitsight estimated incurred $90,000,000 in insured losses.

Senior Microsoft officials prioritized minimizing business fallout during explosion in cloud computing

After raising the issue to supervisors, Harris was referred to the Microsoft Security Response Center (MSRC), stating the MSRC declined to fix the problem, arguing the attackers would first need to have access to an on-premises server and then move into the cloud environment.

Harris said he took the issue to senior product manager Mark Morowczynski and director Alex Simons, but after agreeing it constituted a “huge issue” he revealed they disagreed with him about how the company should go about remediating the issue.

According to Harris, the two objections given by Morowczynski were that publicly acknowledging the vulnerability would alert potential attackers who could then further exploit it.

The second reason Morowczynski gave was that alerting the public would jeopardize Microsoft’s ability to capitalize on the massive investment in cloud computing, including one the largest government computing contract in US history.

Harris and other former Microsoft employees told ProPublica that CEO Satya Nadella had made it clear internally that the hyperscaler needed to ensure it did not miss out on the multi-billion dollar deal to secure its future selling cloud services.

Tim Mackey, head of software supply chain risk at Synopsys Software Integrity Group, said the incident underscores the friction that frequently arises between security and business verticals within an organization.

"Without getting into the specifics, the nature of this incident and its timeline highlights the tension that often exists between technical teams and their business peers”, he explained.

“For a technical team, any weakness, particularly within code that is an area of expertise for that team, represents a priority to be addressed. If that weakness then becomes exploitable, then technical teams are even more eager to address the issue.”

Mackey said the conflicting interests of minimizing the business impact or mitigating the security issues are all too often won by those looking to protect the organization’s bottom line.

“The problem is that new features and enhancement requests from top customers often have greater business value than bug fixes – even if those bugs are security bugs. While we would all love to say that all software developers address security issues first, and then address new features, the reality is that R&D efforts are prioritized based on business impact.”

He added the prevalence of this dynamic, which is hurting security postures around the world, has triggered recent efforts from cyber agencies to advocate for more transparency in the industry.

“It is the impact of this dynamic that is behind efforts like CISA’s Secure by Design principles and the concepts of ‘Radical Transparency’, which contribute to various software assurance efforts promoting transparency into development and deployment practices as a means of reducing business risks associated with the usage of software."

A spokesperson for Microsoft told ITPro that "protecting customers is our highest priority" and that its security response team gives "every case due diligence with a thorough manual assessment". 

"Our assessment of this issue received multiple reviews and was aligned with the industry consensus," the spokesperson said.

"Security assertion markup language (SAML) is an industry standard for authentication supporting the majority of authentication and multiple vendors' identity services today. There are not inherent vulnerabilities in that standard and supporting SAML, itself, is not a vulnerability for identity services. 

"Many customers use SAML as the industry-standard authentication protocol to delegate trust between systems. As with others across the industry we continue to offer that functionality to our customers, while emphasizing the importance of securing the systems that are the root of that trust.

"We prioritize our security response work by considering potential customer disruption, exploitability, and available mitigations. We continue to listen to the security research community and evolve our approach to ensure we are meeting customer expectations and protecting them from emerging threats. One example of this is our Secure Future Initiative commitments which we launched in November to help prepare for increasing scale and seriousness of cyber attacks as our top priority.”