Skip to Content

Microsoft’s Sociopathic Cybersecurity Pedantry

Microsoft’s response to a string of security issues over the last two weeks makes it clear that security is still not a high priority at the company, despite lip service to the contrary.

In mid-October, security firm WithSecure announced it discovered that Microsoft Office 365 allows the use of the insecure Electronic Code Book (ECB) message encryption. ECB encryption is flawed and an attacker with access to a large number of messages may be able to analyse them to identify repeated patterns and then infer clear text of encrypted messages. Microsoft paid WithSecure a USD$5000 bug bounty but subsequently did not fix the problem.

Microsoft has some justification for its position here. ECB is used to support legacy applications, and Microsoft is rolling out replacements for the vulnerable Office Message Encryption (OME) service. Despite that, however, its communications on the subject have been terrible.

When asked about the issue, a Microsoft spokesperson told Bleeping Computer that the “rights management feature is intended as a tool to prevent accidental misuse and is not a security boundary”. This is possibly correct according to Microsoft’s internal perception but is utterly useless for customers that may naively expect email encryption to actually protect content.

Microsoft added that “to help prevent abuse we recommend customers follow best security practices, including keeping systems up to date, enabling multi-factor authentication, and using a real time anti-malware product”. Again, these are factually correct statements but irrelevant to email encryption and the risks it is meant to mitigate against.

Also, earlier this month, multiple security researchers discovered that Microsoft botched its protection against a privilege escalation technique known as Bring Your Own Vulnerable Driver. The BYOVD technique allows attackers to achieve ring 0 or kernel-level privileges by installing vulnerable drivers. Microsoft announced mitigations for Secured-core PCs in 2020, but it turns out these mitigations were never properly implemented — Microsoft intended to maintain a blocklist of vulnerable drivers but didn’t.

Finally, last week security firm SOCRadar announced it had detected a misconfigured Azure Blob Storage bucket containing 2.4TB of Microsoft data. The information included communications between Microsoft and its customers, covering 65,000 companies in 111 countries. Microsoft minimised the breach in its response and said: “Our investigation found no indication customer accounts or systems were compromised”. This is what you say if you are a sociopathic pedant and while it is technically correct, it is also misleading as it turns out the blob was indexed on Grayhat Warfare, a database that harvests publicly exposed buckets. No accounts or systems compromised, just your data.

Microsoft then attacks SOCRadar stating: “we appreciate SOCRadar informing us about the misconfigured endpoint, but after reviewing their blog post, we first want to note that SOCRadar has greatly exaggerated the scope of this issue”. Attacking the messenger is just a terrible look. Ars Technica has more complete coverage of Microsoft’s response.

Back in September last year, we wrote:

Former AWS veteran Charlie Bell is joining Microsoft to lead a newly formed engineering organisation: Security, Compliance, Identity and Management. Hopefully this announcement is an indication that Microsoft will eventually deliver secure products again.

Should we give up hope now?

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.