A “critical” vulnerability in Azure AD just won’t be addressed by Microsoft. The tech giant appears to have known about it since March but keeps putting off fixing it. The CEO of the cybersecurity company that reported the vulnerability is now expressing his frustration with this slow response online.
The cybersecurity company Tenable notified Microsoft in March of a “critical” vulnerability in Azure AD. It allows hackers to access data and apps managed on Microsoft’s cloud service.
Microsoft reportedly responded to the finding for the first time 16 weeks after the problem was reported. It then notified Tenable it had fixed the vulnerability. The cybersecurity firm’s researchers checked into that and found that the vulnerability had been only partially fixed.
The tech giant now plans to fully address the problem by Sept. 28. As a result, a known vulnerability in Azure AD will remain in place for six months. According to Tenable’s CEO, this is ‘grossly irresponsible’: “Did Microsoft quickly fix the problem that could effectively lead to the breach of multiple customers’ networks and services? Of course not. They took more than 90 days to implement a partial fix, and only for new applications loaded into the service,” writes Amit Yoran, CEO of Tenable, on LinkedIn.
The destroying words won’t do Microsoft any good, now that the tech giant’s cybersecurity is also under investigation in connection with the Chinese email hack.
Last week, U.S. Senator Ron Wyden, chairman of the Justice Department, Federal Trade Commission and the Cybersecurity and Infrastructure Security Agency, pinpointed Microsoft as the culprit for the incident. According to the senator, the tech giant did not have proper cyber hygiene and “a single skeleton key that, when inevitably stolen, could be used to access the private communications of several customers.”
Yoran writes a succinct conclusion about the whole situation: “Microsoft’s track record puts us all at risk. And it’s even worse than we thought.”