Security firm Tenable reports that Microsoft has been informed of a critical vulnerability in Azure Active Directory (AAD) since March 2023, but has yet to patch it. The company's CEO, Amit Yoran, has been highly critical of Microsoft's handling of security issues.
Over 40% of all particularly serious vulnerabilities in recent years are related to Microsoft products.
Τον Μάρτιο του 2023, ένα μέλος της ερευνητικής ομάδας της Tenable εξέτασε την πλατφόρμα Azure της Microsoft και τις σχετικές services. Ο ερευνητής ανακάλυψε μια ευπάθεια που θα επέτρεπε σε έναν εισβολέα χωρίς έλεγχο ταυτότητας να έχει πρόσβαση σε εφαρμογές και ευαίσθητα δεδομένα, όπως αρχεία ελέγχου ταυτότητας. Αυτό δημοσιεύτηκε από την Tenable στην ανάρτηση Unauthorized Access to Cross-Tenant Applications in a Microsoft Azure Service, but since the vulnerability has not been patched, no further details are given.
According to the company, Microsoft was notified of the serious vulnerability on March 30, 2023. The audit team discovered a security gap in the authentication of a bank. The bank was immediately notified, which then notified Microsoft.
The vulnerability allows attackers to infiltrate the networks and services (Azure) of various customers.
But the bank is still waiting until today, 120 days after Tenable reported the security breach. This applies to all other companies that use the same services as Microsoft's cloud bank. These companies still do not know that they are at risk and therefore cannot do anything, or else they sleep peacefully.
Microsoft said it wants to fix the problem by the end of September 2023, four months after Tenable reported it.
Tenable calls this grossly irresponsible.
Tenable knows about the problem, Microsoft knows about the problem — and hopefully attackers don't, says the security firm, which plans to release more details about the vulnerability on September 28, 2023.
Meanwhile, Amit Yoran, president and chief executive officer (CEO) of Tenable, criticizes Microsoft for its behavior in unusually harsh terms. Tenable CEO accuses Microsoft of lack of transparency, security breaches, irresponsible security practices and vulnerabilities. It exposes all customers to risks they are deliberately kept in the dark about.
