\n<\/p>\n
Microsoft is facing mounting criticism in the wake of last month\u2019s attack on Azure. In a post on LinkedIn<\/a>, Amit Yoran, the CEO of the cybersecurity company Tenable, says Microsoft\u2019s cybersecurity track record is \u201ceven worse than you think\u201d \u2014 and he has an example to back it up.<\/p>\n<\/div>\n On July 12th, Microsoft disclosed a major breach<\/a> targeting its Azure platform, which it traced to a Chinese hacking group known as Storm-0558. The attack affected around 25 different organizations and resulted in the theft of sensitive emails from US government officials. Last week, Senator Ron Wyden (D-OR) sent a letter<\/a> to the US Department of Justice, asking it hold Microsoft accountable for \u201cnegligent cybersecurity practices.\u201d<\/p>\n<\/div>\n Yoran has more to add to the senator\u2019s arguments, writing in his post that Microsoft has demonstrated a \u201crepeated pattern of negligent cybersecurity practices,\u201d enabling Chinese hackers to spy on the US government. He also revealed Tenable\u2019s discovery of an additional cybersecurity flaw<\/a> in Microsoft Azure and says the company took too long to address it.<\/p>\n<\/div>\n Tenable initially discovered the flaw in March and found that it could give bad actors access to a company\u2019s sensitive data, including a bank. Yoran claims Microsoft took \u201cmore than 90 days to implement a partial fix\u201d after Tenable notified the company, adding that the fix only applies to \u201cnew applications loaded in the service.\u201d According to Yoran, the bank and all the other organizations \u201cthat had launched the service prior to the fix\u201d are still affected by the flaw \u2014 and are likely unaware of that risk.<\/p>\n<\/div>\n Yoran says Microsoft plans to fix the issue by the end of September but calls the delayed response \u201cgrossly irresponsible, if not blatantly negligent.\u201d He also points to data from Google\u2019s Project Zero, which indicates that Microsoft products have made up 42.5 percent of all discovered zero-day vulnerabilities since 2014.<\/p>\n<\/div>\n \u201cWhat you hear from Microsoft is \u2018just trust us,\u2019 but what you get back is very little transparency and a culture of toxic obfuscation,\u201d Yoran writes. \u201cHow can a CISO, board of directors or executive team believe that Microsoft will do the right thing given the fact patterns and current behaviors?\u201d<\/p>\n<\/div>\n Microsoft senior director Jeff Jones responded to Yoran\u2019s criticism in an emailed statement to The Verge<\/em>:<\/p>\n<\/div>\n We appreciate the collaboration with the security community to responsibly disclose product issues. We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications. Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption.<\/p>\n<\/blockquote>\n<\/div>\n\n