Several security companies are dissatisfied with Microsoft’s patch policy. The tech giant allegedly undermines and conceals serious vulnerabilities.
Most criticism comes from Orca Security and Tenable, two security researchers. Orca Security informed Microsoft of two serious Azure Synapse Analytics vulnerabilities in January. It took months for the patches to appear. Microsoft did not provide an explanation. The tech giant allegedly hid the problem from customers.
Amit Yoran, the CEO of security company Tenable, is outraged. “Both of these vulnerabilities were exploitable by anyone using the Azure Synapse service”, he recently shared in a blog. “After evaluating the situation, Microsoft decided to silently patch one of the problems, downplaying the risk. It was only after being told that we were going to go public, that their story changed — 89 days after the initial vulnerability notification — when they privately acknowledged the severity of the security issue. To date, Microsoft customers have not been notified.”
The vulnerabilities in Azure Synapse are not the only problem. Microsoft’s response to Follina, a large-scale Windows vulnerability, raises questions as well. Security company Shadow Chaser Group found the vulnerability and sounded the alarm in April. Five weeks later, Microsoft officially announced the problem. The patch was released a few days ago. This means that the vulnerability was exploitable for seven weeks.
It’s unclear why the tech giant took weeks to recognize the issue. Microsoft did clarify why some patches are released later than expected. “The release of a security update is a balance between quality and timeliness”, a spokesperson shared on Azure Synapse patch. “We consider the need to minimize customer disruptions while improving protection.”
Earlier this year, Google released a report on the speed with which tech giants address vulnerabilities and bugs. Security team Google Project Zero found 16 bugs in Microsoft software throughout 2021. It took the tech giant an average of 76 days to solve a bug. Apple did so in 64 days and Google in 53.
The figures align with the allegations of Orca Security and Tenable. In its report, Google called on software companies to communicate more transparently about the development process of patches.