IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft silent patches called “a grossly irresponsible policy”

Cyber security company Tenable said that the tech giant is putting customers at risk after it found two bugs in Microsoft Azure analytics software, one of which users weren’t made aware of

Cyber security company Tenable Security said it found two bugs in Microsoft Azure analytics software and complained the tech giant didn’t follow industry standards in declaring the patch to other users.

Tenable claimed that Microsoft patched one bug in its Synapse Analytics platform without telling users, and left the other unpatched, according to the company’s blog. Synapse Analytics is a machine learning and data aggregation platform that runs on Apache Spark with limited permissions.

The security company found a privilege escalation flaw that allowed a user to escalate privileges to that of the root user within the context of a Spark VM. The other flaw allowed a user to poison the hosts file on all nodes in their Spark pool which allows a user to redirect subsets of traffic and snoop on services users generally don’t have access to. The full privilege escalation flaw has been addressed, said Tenable, but the hosts file poisoning flaw remained unpatched when the blog post was published.

Tenable underlined that many of the keys, secrets, and services accessible via these attacks have traditionally allowed further lateral movement and potential compromise of Microsoft-owned infrastructure. This could lead to a compromise of other customers’ data, it added. However, for Synapse Analytics, root user access is limited to their own Spark pool so access to resources outside of this would require additional vulnerabilities to be chained and exploited.

The cyber security company rated the issue as critical severity, although said that Microsoft considered the issue a low severity defence-in-depth improvement. 

Tenable complained that there was some kind of disconnect between the Microsoft Security Response Center (MSRC) and the development team behind Synapse Analytics. The company had to reach out via Twitter to get a response despite requesting status updates via emails and the researcher portal.

“During the disclosure process, Microsoft representatives initially seemed to agree that these were critical issues,” detailed Tenable’s blog post. “A patch for the privilege escalation issue was developed and implemented without further information or clarification being required from Tenable Research. This patch was also made silently and no notification was provided to Tenable. We had to discover this information for ourselves.”

The cyber security company added that MSRC began attempting to downplay the issue and classified it as a best practice recommendation instead of a security issue. It wasn’t until Tenable notified MSRC of its intent to publish its findings that the Microsoft teams acknowledged that issues were security related. 

“It was only after being told that we were going to go public, that their story changed…89 days after the initial vulnerability notification…when they privately acknowledged the severity of the security issue,” said Amit Yoran, chairman and CEO of Tenable, in a LinkedIn post. “To date, Microsoft customers have not been notified.”

Related Resource

CIAM buyer’s guide

Finding the right CIAM solution to capture & retain customers, fuel business growth and keep customers safe

Whitepaper cover with title and graphic made up of turquoise and grey pixelated shapesFree Download

Yoran called it a repeated pattern of behaviour, pointing to how other security companies have written about their vulnerability notification interactions with Microsoft, and the tech giant’s dismissive attitude about the risk that vulnerabilities present to their customers. He highlighted how Orca Security, Wiz, Positive Security and Fortinet published prime examples, with the latter covering the security disaster known as “Follina”. 

“For an IT infrastructure provider or a cloud service provider that is not being transparent, the stakes are raised exponentially,” said Yoran. “Without timely and detailed disclosures, customers have no idea if they were, or are, vulnerable to attack…or if they fell victim to attack prior to a vulnerability being patched. And not notifying customers denies them the opportunity to look for evidence that they were or were not compromised, a grossly irresponsible policy.”

“We addressed the issues that Tenable reported to us and no customer action is required,” a Microsoft spokesperson told IT Pro.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads
Microsoft Windows

Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads

20 Jun 2022
IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated
Business strategy

IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated

17 Jun 2022
Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive
ransomware

Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive

17 Jun 2022
Microsoft overhauls staff contracts, abandons 'non-compete clauses' to comply with state laws
Business strategy

Microsoft overhauls staff contracts, abandons 'non-compete clauses' to comply with state laws

9 Jun 2022

Most Popular

Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022
The top programming languages you need to learn for 2022
Careers & training

The top programming languages you need to learn for 2022

23 Jun 2022
Swift exit: How the world cut off Russian banks
finance

Swift exit: How the world cut off Russian banks

24 Jun 2022