Microsoft silent patches called “a grossly irresponsible policy”

The entrance to one of Microsoft's offices
(Image credit: Shutterstock)

Cyber security company Tenable Security said it found two bugs in Microsoft Azure analytics software and complained the tech giant didn’t follow industry standards in declaring the patch to other users.

Tenable claimed that Microsoft patched one bug in its Synapse Analytics platform without telling users, and left the other unpatched, according to the company’s blog. Synapse Analytics is a machine learning and data aggregation platform that runs on Apache Spark with limited permissions.

The security company found a privilege escalation flaw that allowed a user to escalate privileges to that of the root user within the context of a Spark VM. The other flaw allowed a user to poison the hosts file on all nodes in their Spark pool which allows a user to redirect subsets of traffic and snoop on services users generally don’t have access to. The full privilege escalation flaw has been addressed, said Tenable, but the hosts file poisoning flaw remained unpatched when the blog post was published.

Tenable underlined that many of the keys, secrets, and services accessible via these attacks have traditionally allowed further lateral movement and potential compromise of Microsoft-owned infrastructure. This could lead to a compromise of other customers’ data, it added. However, for Synapse Analytics, root user access is limited to their own Spark pool so access to resources outside of this would require additional vulnerabilities to be chained and exploited.

The cyber security company rated the issue as critical severity, although said that Microsoft considered the issue a low severity defence-in-depth improvement.

Tenable complained that there was some kind of disconnect between the Microsoft Security Response Center (MSRC) and the development team behind Synapse Analytics. The company had to reach out via Twitter to get a response despite requesting status updates via emails and the researcher portal.

“During the disclosure process, Microsoft representatives initially seemed to agree that these were critical issues,” detailed Tenable’s blog post. “A patch for the privilege escalation issue was developed and implemented without further information or clarification being required from Tenable Research. This patch was also made silently and no notification was provided to Tenable. We had to discover this information for ourselves.”

The cyber security company added that MSRC began attempting to downplay the issue and classified it as a best practice recommendation instead of a security issue. It wasn’t until Tenable notified MSRC of its intent to publish its findings that the Microsoft teams acknowledged that issues were security related.

“It was only after being told that we were going to go public, that their story changed…89 days after the initial vulnerability notification…when they privately acknowledged the severity of the security issue,” said Amit Yoran, chairman and CEO of Tenable, in a LinkedIn post. “To date, Microsoft customers have not been notified.”


CIAM buyer’s guide

Finding the right CIAM solution to capture & retain customers, fuel business growth and keep customers safe


Yoran called it a repeated pattern of behaviour, pointing to how other security companies have written about their vulnerability notification interactions with Microsoft, and the tech giant’s dismissive attitude about the risk that vulnerabilities present to their customers. He highlighted how Orca Security, Wiz, Positive Security and Fortinet published prime examples, with the latter covering the security disaster known as “Follina”.

“For an IT infrastructure provider or a cloud service provider that is not being transparent, the stakes are raised exponentially,” said Yoran. “Without timely and detailed disclosures, customers have no idea if they were, or are, vulnerable to attack…or if they fell victim to attack prior to a vulnerability being patched. And not notifying customers denies them the opportunity to look for evidence that they were or were not compromised, a grossly irresponsible policy.”

“We addressed the issues that Tenable reported to us and no customer action is required,” a Microsoft spokesperson told IT Pro.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.