Blame a leak for Microsoft SharePoint attacks, researcher insists

Responsible disclosure done wrong… every time

Rather than hiding things, a lot of the real world damage could have been prevented had Microsoft disclosed to everyone (from the outset of finding out about the problem) that they urgently needed to hide their private corporate SharePoint instances behind some proper additional Kerberos authentication at the web server level or use a decent reverse proxy, VPN, IPSec or another mitigation designed to prevent untrusted entities from interacting with it in the first place, until a fix could be issued. Instead they left it a bit late, only sounding the alarm long after they’d ensured their overpriced cloud instances were safe, and did a piss poor job with messaging until their initial attempt at a patch was botched.

This isn’t the only time they’ve dropped the ball either, just on file sharing solutions alone. For instance, Microsoft never made SMB truly Internet safe, and for years dithered on the messaging about SMB security and how appropriate it is to use outside of a tightly controlled environment. If a protocol isn’t Internet safe, it isn’t really network safe in general, but Microsoft never wanted to make that clear until they had a [paid] solution ready. Many, many systems were compromised as a result of SMB exploits in the early days, to the point where ISPs had to block Port 445 on behalf of their subscribers. But even more recently we saw major compromises on internal networks (the UK NHS ransomware attacks being a big example of this). Microsoft eventually fixed the SMB Internet safety problem by implementing a glorified SSL proxy over the top (SMB-over-QUIC) but only made it available on their cloud at first (specifically in Server 2022 Azure Edition) before finally making people buy a whole new OS (Server 2025) if they wanted to have the same security on-prem.

I say this as someone who earns a living maintaining Microsoft products: You will keep having this same issue over and over again, and you will keep paying people like me to maintain these terrible products, even when there are far better options out there.

Nice Sharepoint you have on premises....

.... it would be bad if something happened to it. Look at my Azure offer... it is not vulnerable...

If I were Congress - I would grill Nadella immediately. But probably he paid Trump enough to avoid it.

Leaky leak

The cybersecurity world acts baffled every time a patch leaks before release, as if we don’t live in an economy built on disposable labour and institutional distrust. The truth is simpler and more uncomfortable: when corporations hollow themselves out in pursuit of margin, they also hollow out their defences.

It’s not just Microsoft. It’s the entire model. Lay off half your security team to boost your share price, outsource critical work to the lowest bidder, funnel resources into C-suite bonuses and stock buybacks, and then wring your hands when someone in the system decides loyalty isn’t worth a cold lunch and a hot desk.

Employees are told to return to soulless offices while senior management dials in from the Maldives. The car park has luxury SUVs, while junior staff are choosing between topping up their heating or making rent. Promotions are frozen. Pay rises are laughable. And the cost of basic dignity - owning a home, starting a family - is pushed further out of reach each year.

In this environment, leaks aren’t anomalies. They’re pressure valves. All it takes is one disillusioned insider with a conscience dulled by corporate hypocrisy and an envelope waved by someone promising to make their life a little less grim. Not out of malice. Just weariness.

If you build your entire operation on mistrust, underpayment, and performative ethics, you shouldn’t be surprised when the real vulnerabilities aren’t in the code - they’re in the culture.

I wonder...

If I wanted info on the latest (known) vulnerabilities, and know when they'd be patched, I'd either try to be a MAPP vendor, buy the info off a MAPP vendor, or quietly compromise a MAPP vendor's systems so I could steal the info. If the third option, it would be in my best interest to not do anything that let the vendor know I was in their systems.

Think somebody's pulled one of those?

What a joke.

Leaks do not, have never, and will never cause a vulnerability in software (or hardware/firmware). Design/implementation flaws do. What's the adage - "Security by obscurity isn't"? Saying a leak causes vulnerability is precisely that - security by obscurity.

Let this be a lesson to all corporate compliance officers and other security "professionals" - POLICY DOES NOT PROTECT, CONTROLS DO. All policy does is establish context of consequences *after an incident*, stop acting pikachu-surprised-face when the policy doesn't *prevent* an incident.

Yeah, right.

Sure, it's all the fault of the LEAKER. The PR people at Microsoft have no shame.

Microsoft, your code is poo. Your software is poo. It's all poo, all the way down.