Microsoft is facing mounting criticism for its lack of transparency and irresponsible security practices.
In a blog post, Amit Yoran, the CEO of the cybersecurity company Tenable, said Microsoft’s cybersecurity track record is “even worse than you think”.
Tenable Research discovered a critical flaw in Microsoft’s Azure platform in March, allowing unauthorized access to steal sensitive data.
Microsoft was also made aware of the vulnerability, but it took them more than 90 days to release a patch.
The cybersecurity firm claimed that this security flaw has exposed several customers, including a bank, to cyberattacks.
Cloud providers use a shared responsibility model, which is harmed when vendors fail to notify customers about issues as they arise and apply fixes as soon as possible.
“Last week, Senator Ron Wyden sent a letter to the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Justice, and the Federal Trade Commission (FTC) asking that they hold Microsoft accountable for a repeated pattern of negligent cybersecurity practices, which has enabled Chinese espionage against the US government,” Yoran said.
The CEO further said that Microsoft plans to fix the problem by the end of September, but the delay is “grossly irresponsible, if not blatantly negligent”.
He also pointed out data from Google’s Project Zero, which showed that Microsoft products have accounted for 42.5 percent of all discovered zero-day vulnerabilities since 2014.
Responding to Yoran’s criticism, Microsoft told The Verge: “We appreciate the collaboration with the security community to responsibly disclose product issues. We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications.
“Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption.”
