back to article Azure issues not adequately fixed for months, complain bug hunters

Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure. In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully …

  1. Version 1.0 Silver badge

    "Why did it take five months for Microsoft to mitigate a vulnerability..."

    When a bug is discovered, if it is fixed quickly then everyone is happy ... including anyone who's accessing the user data via the bug because when you fix something quickly then it's very hard to verify that you haven't just moved the bug somewhere else. I expect that when Microsoft saw the bug, the programmers started looking at all the other areas in the code that it might have affected, planning to try and implement a complete fix, not just the first of a few months bug fixes.

    Sure, five months is an issue but it's much better than quickly creating a bunch of new vulnerabilities.

    1. Zippy´s Sausage Factory

      Re: "Why did it take five months for Microsoft to mitigate a vulnerability..."

      The fact that they seem to be continually taking 89 days to fix something, only acknowledge it when someone says they're going public... this isn't the behaviour of the a reputable and trustworthy cloud provider, it's the behaviour of a clown car full of shysters. How did they get to be number 2 cloud service again?*

      * That's a rhetorical question - it's marketing, monopoly power, and idiots who say "nobody ever got fired for buying Microsoft"

  2. Henry Wertz 1 Gold badge

    Who'd a thought Windows had security problems?

    Title says it -- who'd a thought Windows had security problems?

    I'm shocked -- SHOCKED -- that Microsoft would have loads of security flaws in their shipping products!

    1. Claptrap314 Silver badge

      Re: Who'd a thought Windows had security problems?

      In other news, I heard somewhere that the Pope is Catholic.

  3. sitta_europea Silver badge

    It's the same when I tell Microsoft about criminals that are abusing their services.

    They just ignore me.

    I suppose that's why they're currently listed by Spamhaus as (and I guess I paraphrase here a bit, but not much) the second most criminal friendly ISP on the planet:

  4. Fabrizio

    Microsoft fixing the POC code

    Over the last couple of years Microsoft has been consistently fixing security researcher's Proof of Concept code only instead of looking for the underlying issues that cause said bugs.

    So if there is no underlying issue they're fixing things timely, but if there are structural issues, Microsoft relies on the security researcher's ability to tell them "hey there, we did some more digging and here's some more POC code that shows the bug is still there"

    Microsoft effectively outsources their QA to security researchers who most of the time have a better understanding of what's wrong without having access to the source code.

    Shame on you, Microsoft!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like