Microsoft has fixed a critical vulnerability that could let hackers gain unauthorized access to sensitive data and cross-tenant applications managed by Azure AD. The fix comes shortly after security researchers criticized Microsoft for its “grossly irresponsible” cybersecurity practices.
In a post on LinkedIn, Amit Yoran, the CEO of the security firm Tenable, called out Microsoft for failing to address a vulnerability in its Azure platform. It enabled Chinese state-sponsored hackers to steal hundreds of thousands of emails from cloud customers. They obtained an encryption key that granted access to various other Microsoft cloud services.
The Tenable security team discovered and reported the security issue to Microsoft back in March. The researchers found that it could give threat actors access to sensitive information, including bank details. Microsoft took over three months to partially address the security vulnerability. The company initially planned to deploy a comprehensive fix by the end of September.
Last week, Microsoft rolled out a fix to address the issue for all Azure customers worldwide. The Microsoft Security Response Center team explained that the flaw impacted a “small subset” of customers, but it could lead to unintended information disclosure. Microsoft has notified all impacted organizations through the Microsoft 365 Admin Center. However, the Tenable security team believes that the fix is only applicable to new Power Apps and Power Automation custom connectors.
“Microsoft also appreciates the security community’s research and disclosure of vulnerabilities. Responsible research and mitigation are critical for safeguarding our customers and this comes with a shared responsibility to be factual, understand processes and work together. Any deviation from this process puts customers and our communities at undue security risk. As always, Microsoft’s top priority is to protect and be transparent with our customers and we remain steadfast in our mission,” Microsoft explained.
In a recent letter, U.S. Senator Ron Wyden requested the heads of the Justice Department, Federal Trade Commission, and the Cybersecurity and Infrastructure Security Agency to take action against Microsoft. He criticized the company for mishandling the SolarWinds Chinese supply chain attacks against government agencies in 2020 and 2021.