It's not supposed to work this way.
Microsoft has fixed a vulnerability affecting custom connectors in its Power Platform following sharp criticism last week from Tenable CEO Amit Yoran over the way the software giant handled the security incident.
To be clear, there is no clear correlation between Yoran's public rebuke of Microsoft's delayed patch, but facts are stubborn things.
Tenable alerted Microsoft to the vulnerability, which could allow attackers to access cross-tenant applications and sensitive data, including authentication secrets, on March 30.
In a research advisory about the issue, Tenable said it occurred due to insufficient access control to Azure Function hosts, which are launched as part of the creation and operation of custom connectors in Power Platform, a line of business intelligence, app development and app connectivity software applications.
“Certain connectors created for the Power Platform make use of custom C# code to connect and communicate with other services,” Tenable said. “That C# code is deployed as part of an Azure Function with an HTTP trigger. This Azure Function is deployed and managed by Microsoft, not as part of the customer’s environment.”
In a LinkedIn post last Thursday, Yoran called Microsoft “grossly irresponsible, if not blatantly negligent” for taking more than four months to fix the bug.
“We know about the issue, Microsoft knows about the issue, and hopefully threat actors don’t,” he wrote.
“To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank. They were so concerned about the seriousness and the ethics of the issue that we immediately notified Microsoft.”
In a blog post published the following day (last Friday) Microsoft’s Security Response Center said the issue had now “been fully addressed for all customers and no customer remediation action is required”.
Microsoft said it issued an initial fix on June 7 to mitigate the problem “for a majority of customers” and fully addressed the issue for all customers on August 2.
In its research advisory, Tenable detailed a timeline of communications between it and Microsoft, including telling Microsoft on July 10 that its initial June 7 fix was incomplete.
Microsoft said its subsequent investigation, following Tenable’s July 10 advice, found “a very small subset of Custom Code in a soft deleted state were still impacted”.
“This soft deleted state exists to enable quick recovery in case of accidental deletion of custom connectors as a resiliency mechanism,” the company said.
In its post it said work to mitigate potential issues for remaining customers using custom code functions was completed on August 2, the day before Yoran’s criticism of the way the issue was handled was published.
Microsoft said its security fixes involved extensive investigation, update development, and compatibility testing.
“Ultimately, developing a security update is a delicate balance between speed and safety of applying the fix and quality of the fix. Moving too quickly could result in more customer disruption (in terms of availability) than the risk customers bear from an embargoed security vulnerability,” its post said.
“Not all fixes are equal. Some can be completed and safely applied very quickly, others can take longer.”