Microsoft has issued a rare rebuttal to recent criticism of its alleged “negligent” security practices and approaches to patching security vulnerabilities.
Last week, Tenable chief executive Amit Yoran published a scathing critique of the company, suggesting that the firm’s “lack of transparency” and “irresponsible security practices” have exposed customers to undue risk.
Yoran said Microsoft has a history of deliberately keeping customers in the dark with regard to security vulnerabilities and that the company should be held accountable for its conduct.
His comments followed similar criticism of the tech giant from a US senator in the wake of a Chinese cyber espionage incident that saw emails belonging to government officials accessed by threat actors.
A key talking point within Yoran’s claims centered around the disclosure of a critical security vulnerability in Microsoft’s Power Platform on Azure. Tenable contends that it informed the tech giant of the issue in March this year, however, Yoran revealed it took several months before the firm issued just a “partial fix”.
This, he argued, represented a severe risk to customers using Microsoft services and amounted to a negligent approach from the firm.
Microsoft strongly disagreed with the claims. In a statement on Friday, the tech giant said that its approach to remediating this vulnerability was based on long-established practices.
“As part of preparing security fixes, we follow an extensive process involving thorough investigation, update development, and compatibility testing,” Microsoft said.
“Ultimately, developing a security update is a delicate balance between speed and safety of applying the fix and quality of the fix.”
Microsoft said that “moving too quickly” in response to certain vulnerabilities could result in “more disruption than the risk customers bear” from a security vulnerability.
With this in mind, Microsoft’s lengthy approach to remediating this vulnerability does not amount to negligence, but rather a conservative, measured approach to appropriately patch a flaw and avoid any undue disruption for customers due to a botched fix.
“The purpose of an embargo period is to provide time for a quality fix,” the firm said. “Not all fixes are equal. Some can be completed and safely applied very quickly, others can take longer.”
The flaw uncovered by Tenable in March was officially patched on 2 August, Microsoft went on to confirm.
Similarly, an investigation into the vulnerability revealed that only a “very small subset” of customers were affected, and thus was deemed low risk.
