Microsoft Addresses Tenable’s Critique concerning Power Platform information disclosure vulnerability

Priya Walia

In the world of technology, bugs, and glitches are notorious invaders that can break the smooth functioning of services. Microsoft recently found itself amid a flurry of criticism when infosec intelligence vendor, Tenable, flagged a flaw in Microsoft’s Power Platform.

Last Friday, the tech company broke its silence about the situation and explained. On scrutinizing Tenable’s July report,  it explained that a “very small subset” of the code and its user base was at risk. It went on to assure that it rectified the flaw by August 2, notifying customers via the Microsoft 365 Admin Center.

However, it was not the discovery of the flaw that brought floodlights onto Microsoft but its seemingly unhurried approach to fixing the problem, a matter that sparked a heated exchange between Tenable and Microsoft.

Tenable first alerted Microsoft to the problem back in March. When the firm believed that the software giant’s initial fix was dangerously inadequate, it reached out again in July.

The slow response from Microsoft stirred a hornet’s nest, compelling Tenable CEO Amit Yoran to pen a potent critique on LinkedIn.

Yoran vehemently labeled Microsoft’s approach as “grossly irresponsible, if not blatantly negligent”. He argued that Microsoft appeared to be undermining the shared responsibility model, especially when the service provider seems to be sluggishly addressing issues and not tuning customers into the scenario as they unfold.

In response, Microsoft elucidated the reason behind their seemingly slow response: implementing a phased procedure encompassing a thorough investigation, update development, and compatibility testing before patching up the problem. The company emphasized that resolving a glitch isn’t merely an act of speed but should also safeguard against disrupting customer services and compromising the quality of the fix.

The software giant explained that rushing a solution could result in substantial disruption for customers. Citing the ’embargo period,’ they stressed this phase is a buffer to time a quality fix, and not all patches can or should be hastily applied.

Yet, while all this process takes place, Microsoft assures that they consistently monitor all reported vulnerabilities for signs of active exploitation and respond swiftly if such signs appear.

As transparency is a crucial part of its operation, Microsoft affirms that its roles as a service provider and a security company make them a key player in an ecosystem that prioritizes customer protection. They acknowledged the value of the security community’s input and emphasized the importance of responsible research and mitigation in securing their customers.

Tenable’s disagreement with Microsoft’s process further escalated the tension. Nonetheless, Microsoft maintained its stance, asserting that any deviation from its accepted process would ultimately increase the security risk among its customers and communities.

The episode concludes with Microsoft reaffirming its pledge to maintain an unwavering commitment to protecting its customers and ensuring transparency, all the while juggling priorities and staying true to its processes.

Via The Register