Microsoft’s response to a string of security issues over the last two weeks makes it clear that security is still not a high priority at the company, despite lip service to the contrary.
In mid-October, security firm WithSecure announced it discovered that Microsoft Office 365 allows the use of the insecure Electronic Code Book (ECB) message encryption. ECB encryption is flawed and an attacker with access to a large number of messages may be able to analyse them to identify repeated patterns and then infer clear text of encrypted messages. Microsoft paid WithSecure a USD$5000 bug bounty but subsequently did not fix the problem.
Microsoft has some justification for its position here. ECB is used to support legacy applications, and Microsoft is rolling out replacements for the vulnerable Office Message Encryption (OME) service. Despite that, however, its communications on the subject have been terrible.
When asked about the issue, a Microsoft spokesperson told Bleeping Computer that the “rights management feature is intended as a tool to prevent accidental misuse and is not a security boundary”. This is possibly correct according to Microsoft’s internal perception but is utterly useless for customers that may naively expect email encryption to actually protect content.
Microsoft added that “to help prevent abuse we recommend customers follow best security practices, including keeping systems up to date, enabling multi-factor authentication, and using a real time anti-malware product”. Again, these are factually correct statements but irrelevant to email encryption and the risks it is meant to mitigate against.
Also, earlier this month, multiple security researchers discovered that Microsoft botched its protection against a privilege escalation technique known as Bring Your Own Vulnerable Driver. The BYOVD technique allows attackers to achieve ring 0 or kernel-level privileges by installing vulnerable drivers. Microsoft announced mitigations for Secured-core PCs in 2020, but it turns out these mitigations were never properly implemented — Microsoft intended to maintain a blocklist of vulnerable drivers but didn’t.
Finally, last week security firm SOCRadar announced it had detected a misconfigured Azure Blob Storage bucket containing 2.4TB of Microsoft data. The information included communications between Microsoft and its customers, covering 65,000 companies in 111 countries. Microsoft minimised the breach in its response and said: “Our investigation found no indication customer accounts or systems were compromised”. This is what you say if you are a sociopathic pedant and while it is technically correct, it is also misleading as it turns out the blob was indexed on Grayhat Warfare, a database that harvests publicly exposed buckets. No accounts or systems compromised, just your data.
Microsoft then attacks SOCRadar stating: “we appreciate SOCRadar informing us about the misconfigured endpoint, but after reviewing their blog post, we first want to note that SOCRadar has greatly exaggerated the scope of this issue”. Attacking the messenger is just a terrible look. Ars Technica has more complete coverage of Microsoft’s response.
Back in September last year, we wrote:
Former AWS veteran Charlie Bell is joining Microsoft to lead a newly formed engineering organisation: Security, Compliance, Identity and Management. Hopefully this announcement is an indication that Microsoft will eventually deliver secure products again.
Should we give up hope now?