After years of transparency issues, bypassed patches and rocky communication practices with the security community, infosec professionals say Microsoft has failed to uphold its end of the security bargain.
Frustrations came to a head with a breach Microsoft disclosed last month when a Chinese nation-state threat actor, dubbed Storm-0558 by the tech giant, gained access to 25 organizations that included U.S. government agencies. The threat actor breached accounts by exploiting a “token validation issue,” according to Microsoft, through Outlook Web Access in Exchange Online and Outlook.com.
The attacks were notable because they were first detected by the U.S. government, not Microsoft itself. CISA said a federal civilian executive branch (FCEB) initially discovered suspicious activity in its Microsoft 365 environment in June.
CISA’s advisory stated it only detected the attack because the FCEB had enabled enhanced logging for its Microsoft 365 services, available to the most premium 365 license agreement levels E5 and G5. “CISA and FBI are not aware of other audit logs or events that would have detected this activity,” the advisory said.
In response, Microsoft plans to roll out enhanced cloud logging capabilities at no additional charge. In a July 19 blog post, Microsoft corporate vice president of security, compliance, identity and management Vasu Jakkal said the company would provide a wider range of cloud logs to standard subscribers in September, including more detailed email access logs alongside 30 other types once limited to premium subscribers. Additionally, Microsoft will increase the default retention period for standard customer logs from 90 days to 180.
Storm-0558 used a Microsoft secure account signing key to forge the tokens and impersonate Azure Active Directory users. Microsoft has not disclosed how the signing key was obtained. The latest update came in mid-July, when the company said it was still investigating the theft.
Additionally, Microsoft faced criticism for obscuring technical details of the underlying issue in the attack. Several security researchers and vendors, including Sophos, noted the software giant avoided calling the token validation issue a zero-day vulnerability, even though the cloud flaw seemed to qualify as one.
Responding to Microsoft’s handling of the breach, Oregon Senator Ron Wyden published an open letter to CISA director Jen Easterly, Attorney General Merrick Garland and FTC chair Lina Khan late last month asking their respective agencies to “take action to hold Microsoft responsible for its negligent cybersecurity practices, which enabled a successful Chinese espionage campaign against the United States government.”
Storm-0558, however, represents only the latest of many security issues Microsoft has faced in recent years.
A pattern of cloud transparency issues
Complaints about Microsoft’s transparency are far from new. One of the most vocal critics of the software giant of late has been Amit Yoran, chairman and CEO of Tenable.
Yoran last June publicly called out Microsoft for silently patching and downplaying two vulnerabilities in Microsoft Azure that Tenable researchers discovered, one of which Tenable considered critical.
In a LinkedIn post, he called this “a repeated pattern of behavior” from the giant while simultaneously praising FireEye and Mandiant for their “exemplary” disclosure practices following the SolarWinds supply-chain attack in 2020.
Yoran published a follow-up blog on Aug. 2 dedicated to an issue a Tenable researcher found resulting from insufficient access control to Azure Function hosts. Yoran described the issue as one “which would enable an unauthenticated attacker to access cross-tenant applications and sensitive data, such as authentication secrets.”
He also referenced data from Google’s Project Zero and said Microsoft products “have accounted for an aggregate 42.5% of all zero days discovered since 2014.”
The blog, titled, “Microsoft…The Truth Is Even Worse Than You Think,” alleged that Microsoft took more than 90 days to implement a partial fix for the flaw and that the issue was still partially vulnerable more than 120 days after Tenable reported the issue.
Microsoft is missing a moral compass when it comes to cyber practices and putting their customers at risk …https://t.co/tR4GcGBU3r
— Amit Yoran (@ayoran)
August 2, 2023
The Microsoft Security Response Center (MSRC) on Aug. 4 published a blog post addressing Yoran’s comments. It said it issued an initial fix on June 7 that fixed the flaw for “a majority of customers,” and that work was completed to fully address the flaw on Aug. 2 — the day Yoran’s blog was published.
“Ultimately, developing a security update is a delicate balance between speed and safety of applying the fix and quality of the fix,” it read.
Yoran told TechTarget Editorial some teams and parts of Microsoft have had good practices over the years. But “other parts of Microsoft have been pretty horrific.”
“They produce a lot of code. But they have been disproportionately problematic, especially given how pervasive their software is,” he said.
He described situations where Tenable would discover, investigate and test flaws in Microsoft’s cloud environment. When researchers reached the back end, Yoran claimed the tech giant would not allow the vendor to investigate further, citing data privacy reasons. He said Microsoft would rush to patch the flaw and not disclose it as critical.
“There are just a lot of what I would characterize as borderline deceitful but certainly misleading tactics,” Yoran said. “They have a big ‘trust us’ message. But when it comes to disclosing risk that customers have because of their use of cloud infrastructure, or their checks and balances, or their breach disclosures, their message of trust falls flat.”
Security researchers have long complained about the lack of transparency and disclosure guidelines for cloud vulnerabilities, which are not assigned CVEs because they typically do not require customer action. While many cloud providers issue incomplete security advisories for cloud flaws — and sometimes, none at all — Microsoft’s critics say they tech giant needs to do better.
“If they have an issue and fix it behind the scenes quietly but they never disclosed the issue, and you’re a Microsoft customer, you don’t know that you are operating at risk,” Yoran said. “And not knowing that means you can’t go back and inspect the activity and your configurations to give yourself a degree of confidence that you weren’t compromised or to identify that you were. But they’re not even giving you an opportunity to assess the level of risk that you are under. And it’s irresponsible at best.”
Recent cloud issues extend beyond Tenable and the Storm-0558 attacks. At Black Hat USA 2023 earlier this month, Trend Micro researchers disclosed several vulnerabilities in Azure Machine Learning that were allegedly “silently patched” by Microsoft.
Meanwhile, in late July, Wiz published a blog post detailing its research theorizing why the Storm-0558 campaign may be broader than initially thought. Microsoft released two press statements in response (via The Messenger’s senior cybersecurity reporter Eric Geller on Twitter). The former statement said many of Wiz’s claims were “speculative and not evidence-based,” while the latter was less forceful and merely said the blog “highlights some hypothetical attack scenarios” that had not been observed in the wild.
Asked about the cloud security vendor’s research being referred to as “not evidence-based,” Wiz CTO and co-founder Ami Luttwak told TechTarget Editorial that “the PR language does not contradict the blog” because the purpose of the blog was to raise questions.
Despite Microsoft’s pushback on the research, Luttwak praised the company’s work with security researchers. “I think Microsoft is actually the best company to work with in the disclosure process. They have an entire organization for that, and I think they defined in the industry in terms of how to work with researchers,” he said.
Tomer Bar, vice president of security research at red teaming vendor SafeBreach, concurred with Luttwak and praised Microsoft’s communication practices.
“I think they have made so much advancement over the last 20 years and now I really think they are leading some of the best initiatives in security research. I really appreciate the effort,” he said. Bar said that although they can always improve, he thinks Microsoft is doing a good job overall.
Patch bypasses and more transparency issues
Still, critics say the company’s mitigations are too often bypassed by threat actors or fail to address root causes, which leads to additional vulnerabilities and zero days emerging.
Earlier this year, Akamai bypassed mitigations for a critical Outlook zero-day flaw. Late last year, the Play ransomware gang managed to bypass Microsoft’s mitigations for two vulnerabilities affecting Microsoft Exchange Server referred to as ProxyNotShell. And in 2021, a Microsoft’s patch for its now-infamous print spooler vulnerability “PrintNightmare” reportedly left some systems vulnerable.
Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said ZDI managed to bypass ProxyNotShell flaw CVE-2022-41082 three times.
“They came up with a patch for an active attack; we immediately bypassed it. They fixed our bypass; we immediately bypassed their fix. They fixed it again, and we immediately bypassed that as well,” he said. “That’s unacceptable for something like Exchange, which is so critical to so many organizations. And we’re not talking about a theoretical vulnerability that might happen. We’re talking about something that was actively being exploited.”
Childs, who worked for Microsoft in multiple security initiatives from 2008 to 2014, said he sees Microsoft patches getting bypassed “far too often to be acceptable.”
Microsoft patches hundreds of vulnerabilities in its products each year, and zero days are an issue many, many technology vendors must contend with. Childs said Microsoft’s problems had less to do with quantity and more to do with a lack of transparency and clear communication — alongside the number of patches getting bypassed.
When Childs spoke with TechTarget Editorial in mid-July, he said ZDI had spent “hours on the phone with Microsoft this week” to discuss ongoing cases and bugs that had not been resolved to ZDI’s satisfaction “in order to find a way forward, credit its researchers and keep customers safe.”
In addition to transparency issues, he referenced Microsoft’s monthly security bulletins. Each month, Microsoft publishes a list of security bulletins and researchers use them to find out which bugs are publicly known and under active attack. While Microsoft used to tell researchers directly which CVEs are under attack or publicly known or which aren’t, Childs said, now researchers must manually dig through the sometimes over 100 flaws that make up Patch Tuesday to find the same information on Microsoft’s website.
This has led to situations where researchers and vendors have different vulnerability counts each month based on what is a third-party CVE, what has been brought into the Windows update system from elsewhere and what is an actual Windows flaw.
He believes this, and several issues, are the product of Microsoft moving toward more automation and away from human security personnel. Asked why he thinks Microsoft hasn’t made more improvements in the wake of criticism in recent years, Childs said he felt leadership had no desire to.
“There are some things which I know are kind of unintentional, through automation or through whatever, that that has made [working with Microsoft] less good for me,” he said. “Maybe they think it’s better for them, and they’re willing to take that trade off.”
Childs put it directly: “On the record, I think Microsoft is failing the community.”
Microsoft vs. software liability
Juan Andres Guerrero-Saade, senior director of SentinelLabs at SentinelOne, published a July 23 thread on Twitter that was highly critical of Microsoft. While he praised security personnel at Microsoft “who do amazing things with little credit” and those who worked hard to support Ukraine throughout Russia’s invasion, he admonished the tech giant for poor transparency, a lack of communication with the security community and ineffective vulnerability patching.
Guerrero-Saade told TechTarget Editorial that Microsoft’s issues point toward a larger problem about the way the U.S. government approaches cybersecurity. He said the government doesn’t have the tools to handle issues like transparency and patch bypasses or to determine accountability and liability. He referenced the National Cybersecurity Strategy the White House released earlier this year, which included a section about holding software publishers accountable for releasing insecure software without following best practices.
“There is no regulatory body or anything that can come down on one of the mega giants and say, ‘Hey guys, we love what you do. But you can’t mess up a patch three times, leave everybody exposed, and then not take any responsibility for the ransomware attacks, crimeware attacks and espionage attacks that happen entirely because of this broken patch,” he said.
Raj Rajamani, chief product officer of data, identity, cloud and endpoint at CrowdStrike, told TechTarget Editorial at RSA Conference 2023 in April that he fully supported the shift toward software liability whether it happened through legislative action or not. “It could also be executive action, where the procurement team says, ‘Hey, I would much rather buy a CrowdStrike product than a Microsoft product,'” he said.
“There needs to be some level of tightening of the process so that you’re not trying to let the wolf guard the henhouse. It just doesn’t make sense. When you’re publishing so many vulnerabilities before turning around and saying, ‘Hey, I’m also going to protect the same infrastructure with my security software,’ is that the best approach for the government or for enterprises at large?” Rajamani said.
He continued, “Most of the time, if someone gets breached, they’re either calling Mandiant or us. And when we look at the stats, the number of times these are happening in Microsoft environments is just staggering. Customers are taking on a big, big risk by trusting the wolf to guard the henhouse.”
Tiago Henriques, vice president of research at cyber insurance provider Coalition, said the firm has had conversations internally about Microsoft and software liability. He said that because cyber insurance can pressure policyholders to improve their cybersecurity hygiene to receive coverage, he thinks a combination of government plus cyber insurance “is going to lead in the direction where we can start to hold vendors like Microsoft accountable.”
Henriques concurred with the idea that Microsoft is failing the security community. He referenced the large quantity of Microsoft Exchange vulnerabilities that have been disclosed since the discovery of ProxyLogon in 2021.
“When is Microsoft finally going to bother with that product? Either kill it and offer to move everyone to Microsoft 365, or start properly securing the code on that stack,” he said. “Because it’s crazy. And things like, for example, RDP, that by default still doesn’t come with brute force protection. That should be a default in 2023.”
Henriques continued, “We are seeing a large portion of losses coming from Exchange on prem. It’s so painful. And RDP is the second biggest factor for ransomware deployment that we see.” According to Coalition’s “2023 Cyber Claims Report” released in May, “Businesses with less than $25 million in revenue with on-premise Exchange were nearly twice as likely to experience a claim than those without it, signifying the continued risk of running on-premise Exchange.”
According to Coalition claims data shared with TechTarget Editorial, companies that used Microsoft 365 for email were “more than twice as likely” to experience an insurance claim as Google users. For on-premises Exchange users, claims were nearly three times as likely.
“I am telling you what our claims data tells us,” Henriques said. “I can literally tell you we have seen that for FTF [fund transfer fraud] and BEC [business email compromise] type attacks, Google Workspace is much better than Microsoft 365. And it’s absolutely fine for me to say this because I have numbers that show [what I’m saying].”
Henriques said Coalition plans to partner with an online email provider he did not name — but specified it was not Microsoft — where Coalition will move policyholders from on-premises Exchange to the provider at no additional charge.
Several sources TechTarget Editorial contacted said there could be a “turf war” element to the criticism against Microsoft right now, as the company has increased its presence in the security market with Defender and Security Copilot. But the broad sentiment was that even with increased competition, the frustrations from security vendors were real.
Guerrero-Saade stressed that industry needs Microsoft to succeed as a guardian of the security ecosystem.
“We need Microsoft to succeed the same way we need CISA to succeed. Any criticisms we may leverage in part is the frustration of people that need to build on each other’s work. Our problem when it comes to Microsoft is actually that we don’t want them to fail. We need them to succeed in handling the ecosystem,” he said. “I think anyone who tells you that they want Microsoft to fail is being myopic and incredibly short sighted.”
In a statement, a Microsoft spokesperson said the company remains committed to sharing intelligence and expanding security features but acknowledged “our job is never done to keep our customers and systems protected.”
“Security is built into all of our applications and services from the start, and we acknowledge our job is never done to keep our customers and systems protected. In the face of increasingly well-funded and targeted attacks by advanced actors, we remain committed to sharing threat intelligence, expanding built-in security features and innovating at scale with AI for cyber defense. We also have global teams working around the clock to protect customers and take action against cybercrime infrastructures.”
Then and now
On Jan. 15, 2002, Microsoft co-founder Bill Gates sent an email to every full-time employee at Microsoft under the headline, “Trustworthy computing.” In it, he outlined the tech giant’s plan to emphasize security and trustworthiness in its products.
“There are many changes Microsoft needs to make as a company to ensure and keep our customers’ trust at every level — from the way we develop software, to our support efforts, to our operational and business practices,” he wrote. “As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable.” This initiative led to a massive growth for Microsoft’s security organization as well as several then-groundbreaking initiatives such as Patch Tuesday, the MSRC and the Trustworthy Computing group.
Dustin ChildsHead of threat awareness, Zero Day Initiative, Trend Micro
The latter was stood up as a dedicated trustworthiness center to handle security issues and response. It was dissolved in late 2014. While Microsoft said at the time its staff would just be under a new roof — many of its staff went to the Cloud and Enterprise division — some were let go during layoffs that happened around that time.
In the 2014 reorganization announcement, Microsoft vice president of security policy Scott Charney wrote that “Trustworthy Computing remains a critical component of Microsoft’s promise to our customers.”
Trend Micro’s Dustin Childs believes the dissolution of Microsoft’s Trustworthy Computing group in 2014 caused “the continuing decline of Microsoft security initiatives.”
“I’m not talking about the security of their product. I’m talking about the support and the Microsoft Security Response Center,” he said. “They’re losing so much touch with the security research community and their entire ecosystem of partners, not to mention customers.”
This is a “disheartening” backslide, he said, because he remembered Microsoft as a company that would regularly make improvements in the way it operated for the community at large.
Katie Moussouris, CEO and Founder of Luta Security as well as a pioneer in vulnerability disclosure who built Microsoft’s first bug bounty programs, said, “The security efforts inside of software companies have a rise and fall just like the Roman Empire.”
“There can be periods of greatness and then periods, like we’re observing right now, where that greatness starts to get a little tarnished and the aqueducts start to crumble,” she said. “This is what we’re observing in Microsoft.”
Moussouris said she felt the disintegration of the Trustworthy Computing group — going from a structured, half-engineering half-communications organization to its duties being redistributed to individual product teams — “definitely played a part” in Microsoft’s security issues. She said that while the group didn’t stop the shipment of products with vulnerabilities, it “exercised influence at the executive levels.”
Because of the shift to a product team, “the fox of profit is living in the henhouse of security” she said, as the product team “has obligations of their own bottom line to individual executives and the shareholders to maximize profit.”
However, Moussouris emphasized that the fall of Microsoft’s security “Roman Empire” is not a story that will end with Microsoft.
“In a lot of ways, Microsoft is a harbinger of what will happen to every single software company that reaches a certain size and popularity,” she said. “Microsoft was the first dominant software company and largest software company in the world. Everything that Microsoft goes through, expect it for every other major software company in the world.”
Alexander Culafi is a writer, journalist and podcaster based in Boston.