Microsoft fixes major security flaw after "irresponsible" jibe
Microsoft has finally fixed a high-severity flaw that had been plaguing Azure users for five months after being called out on supposed lax security practices.
According to a report on BleepingComputer, Microsoft has released a patch on August 2, which fixes a flaw in the Power Platform Custom Connectors feature. The flaw allowed threat actors to access cross-tenant applications and Azure users sensitive data.
Cybersecurity researchers from Tenable were the first to discover the flaw in late March 2023, and the company's CEO had heavily criticized Microsoft's supposed inaction.
Cybersecurity researchers from Tenable were the first ones to discover the flaw in late March this year and claim it was a big one, as it allowed them to obtain secrets belonging to a bank (an unnamed one, but a Tenable customer, apparently). The researchers notified Microsoft immediately, which acknowledged the flaw and soon came up with a partial fix. After being warned that the released patch doesn’t fully address the problem, Microsoft gave a new deadline – September.
That would put the window of opportunity for hackers at roughly five months, which did not sit well with Tenable’s CEO, and that’s putting it mildly.
Amit Yoran went on to publish a LinkedIn blog post slamming Microsoft for its “negligence” when it comes to protecting its Azure users, describing the company's activities as “grossly irresponsible”.
“Did Microsoft quickly fix the issue that could effectively lead to the breach of multiple customers' networks and services? Of course not. They took more than 90 days to implement a partial fix – and only for new applications loaded in the service,” Yoran said.
In an offficial security advisory posted, Microsoft said the problem is now fully fixed: “This issue has been fully addressed for all customers and no customer remediation action is required,” Microsoft said on Friday. The company added that it notified all of its customers of the fix, through the Microsoft 365 Admin Center. Notifications started going out on August 4.