Microsoft slammed over slow security patching
Microsoft should move faster with patches, experts complain
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Several cybersecurity firm have criticizedMicrosoftfor what they claim are slow and opaque patching practices.
Orca Security and Tenable have both been quite vocal on how Microsoft handles high-severity vulnerabilities. The former says it has been trying to get Microsoft to fix a critical issue in Azure’s Synapse Analytics since early January 2022, and after a lot of back and forth, as well as two failed attempts, the company finally managed to provide a patch for userendpoints, properly, only on April 15.
Tenable has also voiced its dissatisfaction with how the Synapse issue was resolved, the publication further found. In a LinkedInpost, the company’s Chairman and CEO, Amit Yoran, said there’s a “lack of transparency” Microsoft showed, just a day before the embargo on privately disclosed vulnerabilities lifts.
Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at theend of this surveyto get the bookazine, worth $10.99/£10.99.
Slow Follina patch
“Both of these vulnerabilities were exploitable by anyone using the Azure Synapse service. After evaluating the situation, Microsoft decided to silentlypatchone of the problems, downplaying the risk,” Yoran said. “It was only after being told that we were going to go public, that their story changed… 89 days after the initial vulnerability notification…when they privately acknowledged the severity of thesecurityissue. To date, Microsoft customers have not been notified.”
Microsoft was also criticized for the way it handled the Follina vulnerability, which was apparently only patched after being “actively exploited in the wild for more than seven weeks”.
Microsoft patches Follina threat in latest Patch Tuesday release>Windows Follina zero-day now being abused to infect PCs with Qbot malware>Watch out for this dangerous new Microsoft Word scam, Office users warned
Researchers from Shadow Chaser Group apparently reached out to Microsoft in April, to report on Follina being used in the wild, but the company didn’t declare it as avulnerabilityuntil two weeks ago, for unknown reasons.
Slow or not, Microsoft did go into detail on how it fixed the Azure flaw: “We are deeply committed to protecting our customers and we believe security is a team sport. We appreciate our partnerships with the security community, which enables our work to protect customers. The release of a security update is a balance between quality and timeliness, and we consider the need to minimize customer disruptions while improving protection.”
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Via:Ars Technica
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
Anker Nebula Mars 3 review: A powerful and truly portable projector
