Microsoft slammed over slow security patching

Date:
Thu, 16 Jun 2022 13:59:04 +0000

Description:
Spread of Follina threats lead some to say Microsoft should move faster with its security patches.

FULL STORY ======================================================================

Several cybersecurity firm have criticized Microsoft for what they claim are slow and opaque patching practices.

Orca Security and Tenable have both been quite vocal on how Microsoft handles high-severity vulnerabilities. The former says it has been trying to get Microsoft to fix a critical issue in Azures Synapse Analytics since early January 2022, and after a lot of back and forth, as well as two failed attempts, the company finally managed to provide a patch for user endpoints , properly, only on April 15.

Tenable has also voiced its dissatisfaction with how the Synapse issue was resolved, the publication further found. In a LinkedIn post , the companys Chairman and CEO, Amit Yoran, said theres a lack of transparency Microsoft showed, just a day before the embargo on privately disclosed vulnerabilities lifts.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 . Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/10.99. Slow Follina patch

Both of these vulnerabilities were exploitable by anyone using the Azure Synapse service. After evaluating the situation, Microsoft decided to
silently patch one of the problems, downplaying the risk, Yoran said. It was only after being told that we were going to go public, that their story changed... 89 days after the initial vulnerability notificationwhen they privately acknowledged the severity of the security issue. To date, Microsoft customers have not been notified.

Microsoft was also criticized for the way it handled the Follina vulnerability, which was apparently only patched after being actively exploited in the wild for more than seven weeks. Read more

Microsoft patches Follina threat in latest Patch Tuesday release

Windows Follina zero-day now being abused to infect PCs with Qbot malware

Watch out for this dangerous new Microsoft Word scam, Office users warned

Researchers from Shadow Chaser Group apparently reached out to Microsoft in April, to report on Follina being used in the wild, but the company didnt declare it as a vulnerability until two weeks ago, for unknown reasons.

Slow or not, Microsoft did go into detail on how it fixed the Azure flaw: "We are deeply committed to protecting our customers and we believe security is a team sport. We appreciate our partnerships with the security community, which enables our work to protect customers. The release of a security update is a balance between quality and timeliness, and we consider the need to minimize customer disruptions while improving protection."

Via: Ars Technica



======================================================================
Link to news story: https://www.techradar.com/news/microsoft-slammed-over-slow-security-patching/


--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)