Share this article
Latest news
With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low
Copilot in Outlook will generate personalized themes for you to customize the app
Microsoft will raise the price of its 365 Suite to include AI capabilities
Death Stranding Director’s Cut is now Xbox X|S at a huge discount
Outlook will let users create custom account icons so they can tell their accounts apart easier
Microsoft’s quiet mishandling of vulnerabilities is becoming a public mess
4 min. read
Published onJune 29, 2022
published onJune 29, 2022
Share this article
Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more
Microsoft has some explaining to do for its customers making use of Synapse Analytics with its cloud services or those exposed when using Azure Data Factory recently, as companies look for transparency on over five-month long response times to critical vulnerability patches.
According toa report from Ars Technica, Microsoft is facing criticism over its handling of two previously discovered vulnerabilities that took over five months and several botched attempts to address.
A botched attempt at securing a vulnerability, in and of itself is understandable at times, but Orca Security researcher Tzah Pahima documented the responses as well as the timeline in which it took Microsoft to address his concerns about a flaw in the Synapse Analytics component in Azure Data Factory, and it doesn’t look good for Microsoft’s Security Response Center.
While Microsoft was able to release a patch roughly two months after the initial discovery, it still took its Security Response Center well over five months to implement a fix that would stick as well as alert customers to theexistence of the vulnerabilityas well as offer mitigations and recommendations for addressing potential issues.
If that wasn’t bad enough, Orca’s discovery came on the heels of another security firm discovering a similar exploit involving Azure Synapse as well. The security firm Tenable was less amenable to Microsoft’s sluggish response time and lack of customer transparency regarding the vulnerability in its publishing ofMicrosoft’s Vulnerability Practices Put Customers at RiskLinkedIn post.
Unlike the situation with Orca, Microsoft has yet to alert customers to Tenable’s SynLapse discovery despite a 90-day window of vulnerability due to the time it took the company to issue a patch to one of the problems.
The Azure Synapse vulnerabilities represent the latest mishandlings by Microsoft to address critical security issues in a timely manner following concerns about Windows exploits identified in a 2020 academic paper.
The ongoing spam exploit had gone formally unaddressed by Microsoft until Tuesday of this week, which promoted researchers from Shadow Chaser Group to take to Twitter to sound alarm bells in regards to the company’s inaction on the matter.
Interesting maldoc was submitted from Belarus. It uses Word’s external link to load the HTML and then uses the “ms-msdt” scheme to execute PowerShell code.https://t.co/hTdAfHOUx3pic.twitter.com/rVSb02ZTwt
— nao_sec (@nao_sec)May 27, 2022
Due to the sheer size and breadth of the company’s service offerings, Microsoft’s Security Response Center is undoubtedly working overtime to put out fires, but when exploits are hand wrapped by well-intentioned researchers, the company may want to prioritize their communications addressing those findings in the future.
Kareem Anderson
Networking & Security Specialist
Kareem is a journalist from the bay area, now living in Florida. His passion for technology and content creation drives are unmatched, driving him to create well-researched articles and incredible YouTube videos.
He is always on the lookout for everything new about Microsoft, focusing on making easy-to-understand content and breaking down complex topics related to networking, Azure, cloud computing, and security.
User forum
0 messages
Sort by:LatestOldestMost Votes
Comment*
Name*
Email*
Commenting as.Not you?
Save information for future comments
Comment
Δ
Kareem Anderson
Networking & Security Specialist
He is a journalist from the bay area, now living in Florida. He breaks down complex topics related to networking, Azure, cloud computing, and security
