Tenable CEO calls out Microsoft delay on months-old Azure vulnerability

Microsoft is facing renewed scrutiny over its security practices as Tenable CEO Amit Yoran claims the software company has failed to patch a critical Azure vulnerability that his researchers reported in March.

Yoran said the vulnerability allowed researchers to access sensitive information from a bank, however Microsoft is dragging its feet after developing a partial fix that Tenable was later able to bypass.

The new vulnerability is part of a nearly 10-year pattern at Microsoft wherein the company is failing to put the security of its customers first, Yoran claims.

“Microsoft’s lack of transparency applies to breaches, irresponsible security practices and to vulnerabilities, all of which expose their customers to risks they are deliberately kept in the dark about,” Yoran said in a LinkedIn post.

Tenable said the vulnerability in Azure allows an attacker to gain unauthorized but limited access to cross-tenant applications and sensitive data, including authentication secrets.

Tenable immediately notified Microsoft about the vulnerability at the end of March and requested an update in late June. Microsoft notified Tenable on July 6 that the issue was fixed, but Tenable checked the fix and was able to get around it.

To read the complete article, visit Cybersecurity Dive.