On August 2, 2023, Amit Yoran, CEO of Tenable, criticized Microsoft’s “lax” vulnerability patching policy. At the end of July 2023, US Senator Ron Wyden also alerted US authorities on Microsoft’s “cybersecurity negligence.” According to Google Project Zero, 42.5% of zero day vulnerabilities since 2014 come from Microsoft products.
In March 2023, a Tenable researcher discovered a critical flaw in Microsoft Azure, which enabled attackers to steal sensitive data, including security info. Tenable researchers even managed to log into a financial institution’s Azure account. Microsoft was immediately notified.
According to Amit Yoran, it took Microsoft 90 days to provide a partial patch for new users only. All previous users, including the bank, remain vulnerable four months after the report. Moreover, users “still do not know if they are exposed to risk and therefore cannot make any informed decisions in regard to risk management and mitigation measures,” explained the researcher.
Microsoft answered that its patch management procedures were “thorough” and sometimes lengthy: they require an in-depth investigation, developing updates for all software versions and compatibility testing on all operating systems. “Developing security updates means striking the right balance between speed and quality, while guaranteeing maximum protection and minimum disruption,” concluded the software publisher.