Microsoft has issued a rare rebuttal to recent criticism of its alleged “negligent” security practices and approaches to patching security vulnerabilities.
Last week, Tenable CEO Amit Yoran published a scathing critique of the company, suggesting that the company’s “lack of transparency” and “irresponsible security practices” exposed customers to excessive risk .
Yoran said Microsoft has a history of deliberately keeping its customers in the dark regarding security failures and that the company should be held accountable for its conduct.
His comments followed similar criticism of the tech giant from a US senator following a Chinese cyberespionage incident in which emails belonging to government officials were leaked. accessed by malicious actors.
A key talking point in Yoran’s claims focused on the disclosure of a critical security vulnerability in Microsoft’s Power Platform on Azure. Tenable claims to have informed the tech giant of the problem in March this year. However, Yoran revealed that it took several months before the company released a “partial fix.”
He said this posed a serious risk to customers using Microsoft services and amounted to a negligent approach by the company.
Microsoft strongly disagreed with these claims. In a statement released Friday, the tech giant said its approach to addressing this vulnerability was based on long-established practices.
Start finding an integrated, automated solution that addresses your biggest security concerns.
“As part of preparing security patches, we follow a thorough process involving thorough investigation, update development, and compatibility testing,” Microsoft said.
“Ultimately, developing a security update is a delicate balance between how quickly and securely the patch can be applied and how well the patch can be applied.”
Microsoft said that “acting too quickly” in response to certain vulnerabilities could cause “more disruption than the risk customers bear” due to a security vulnerability.
With this in mind, Microsoft’s lengthy approach to addressing this vulnerability does not constitute negligence, but rather a careful and measured approach to appropriately patching patch a breach and avoid any unwarranted disruption to customers due to a botched fix.
“The purpose of an embargo period is to provide time to proceed with a quality solution,” the company said. “Not all fixes are equal. Some can be made and applied safely very quickly, others may take longer.
The flaw discovered by Tenable in March was officially fixed on August 2, Microsoft confirmed.
Similarly, a vulnerability investigation found that only a “very small subset” of customers were affected and therefore considered low risk.