Microsoft’s quiet mishandling of vulnerabilities is becoming a public mess

Microsoft has some explaining to do for its customers making use of Synapse Analytics with its cloud services or those exposed when using Azure Data Factory recently, as companies look for transparency on over five-month long response times to critical vulnerability patches.

According to a report from Ars Technica, Microsoft is facing criticism over its handling of two previously discovered vulnerabilities that took over five months and several botched attempts to address.

A botched attempt at securing a vulnerability, in and of itself is understandable at times, but Orca Security researcher Tzah Pahima documented the responses as well as the timeline in which it took Microsoft to address his concerns about a flaw in the Synapse Analytics component in Azure Data Factory, and it doesn’t look good for Microsoft’s Security Response Center.

• January 4 – The Orca Security research team disclosed the vulnerability to the Microsoft Security Response Center (MSRC), along with keys and certificates we were able to extract.
• February 19 & March 4 – MSRC requested additional details to aid its investigation. Each time, we responded the next day.
• Late March – MSRC deployed the initial patch.
• March 30 – Orca was able to bypass the patch. Synapse remained vulnerable.
• March 31 – Azure awards us $60,000 for our discovery.
• April 4 (90 days after disclosure) – Orca Security notifies Microsoft that keys and certificates are still valid. Orca still had Synapse management server access.
• April 7 – Orca met with MSRC to clarify the implications of the vulnerability and the required steps to fix it in its entirety.
• April 10 – MSRC patches the bypass, and finally revokes the Synapse management server certificate. Orca was able to bypass the patch yet again. Synapse remained vulnerable.
• April 15 – MSRC deploys the 3rd patch, fixing the RCE and reported attack vectors.
• May 9 – Both Orca Security and MSRC publish blogs outlining vulnerability, mitigations, and recommendations for customers.
• End of May – Microsoft deploys more comprehensive tenant isolation including ephemeral instances and scoped tokens for the shared Azure Integration Runtimes.

While Microsoft was able to release a patch roughly two months after the initial discovery, it still took its Security Response Center well over five months to implement a fix that would stick as well as alert customers to the existence of the vulnerability as well as offer mitigations and recommendations for addressing potential issues.

If that wasn’t bad enough, Orca’s discovery came on the heels of another security firm discovering a similar exploit involving Azure Synapse as well. The security firm Tenable was less amenable to Microsoft’s sluggish response time and lack of customer transparency regarding the vulnerability in its publishing of Microsoft’s Vulnerability Practices Put Customers at Risk LinkedIn post.

Unlike the situation with Orca, Microsoft has yet to alert customers to Tenable’s SynLapse discovery despite a 90-day window of vulnerability due to the time it took the company to issue a patch to one of the problems.

The Azure Synapse vulnerabilities represent the latest mishandlings by Microsoft to address critical security issues in a timely manner following concerns about Windows exploits identified in a 2020 academic paper.

The ongoing spam exploit had gone formally unaddressed by Microsoft until Tuesday of this week, which promoted researchers from Shadow Chaser Group to take to Twitter to sound alarm bells in regards to the company’s inaction on the matter.

Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code.https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt

— nao_sec (@nao_sec) May 27, 2022

Due to the sheer size and breadth of the company’s service offerings, Microsoft’s Security Response Center is undoubtedly working overtime to put out fires, but when exploits are hand wrapped by well-intentioned researchers, the company may want to prioritize their communications addressing those findings in the future.