21 comments

[ 171 ms ] story [ 153 ms ] thread
[flagged]
You can't be serious right? I don't even know where to start.

Because if your product has critical security vulnerabilities or design flaws, you won't be in business very long? Or look at it this way, your product will put the Security of others at risk?

If this isn't a joke comment, I'd remove your job title from it.

It has to be a joke. The comment lacks the playful tell of good sarcasm, but nobody with half a brain would ever say something seriously in that manner.
> nobody with half a brain would ever say something seriously in that manner

As Microsofts head of product strategy, I raise you this: If you're so concerned about security, just get an antivirus

That's just how we think over here at Microsoft
This was brought to Microsoft's attention by Tenable well before the Tenable CEO decided to make a public statement about it.

I have a relative that works for them doingnthe CyberSec thing who had talked about this a few weeks ago.

Actual title: Microsoft fixes flaw after being called irresponsible by Tenable CEO

Maybe they need an Azure SP3 moment?

Coincidentally, today I noticed a surprisingly high number of file accesses from Tenable's Nessus software, caused by it reading a megabyte-sized config file one character at a time without buffering, each going through Win32's ReadFile.

It seems that negligence is not in short supply.

Classic MS community engagement post right here.
This is generally my impression of anything Microsoft. O365, Azure, AAD, Teams, logging needing extra support levels, patching on Windows, how CVEs aren't CVEs, how they won't implement secure defaults, etc.

Mind you my opinion is easily permanently soured on far cooler engineering things (like Cloudflare) for them hosting doxxing things... as much as I like the engineering... if you refuse to keep people safe why would I take the risk to use your infrastructure?

(comment deleted)
Also, water has been discovered in vast quantities near the ocean.
Well, I am glad someone is doing research in this area. Powerapps are one of those things I hope I never have to deal with in a security incident. The logging and access control is messy but the underlying implementation uses normal azuread authentiation/access control.

Let's say a random user creates an app to measure something for their team, store it in sharepoint and update the avatar or some other property of users stored in azuread. Because of that latter part, the powerapp might (!) have requested and been granted directory.readwrite.all which means it can do anything at all including making itself or whoever can somehow control it and abuse it global admin, controlling the whole tenant.

A lot of this stuff is for business customers only, I suspect that's why you see little research or random threat actors abusing these types of features (until they're not random anymore).

It's bizarre how the author refers to Microsoft as "Redmond" repeatedly.

> Redmond has since notified all impacted customers through the Microsoft 365 Admin Center starting August 4th.

> initial fix deployed by Redmond on June 7th was tagged by Tenable as incomplete

> To make matters even worse, Redmond's initial commitment to fixing the issue...

Maybe it's to emphasize that they're dealing with higher-ups at Microsoft HQ instead of someone at their branch office?

It's like how they call the US federal government "Washington".

Why is that bizarre? That’s been a way to describe talking to Microsoft since the mid to late 80’s.
That's no different from referring to US policymakers as "Washington" or their Chinese counterparts as "Beijing".
This is a normal way for people who are talking to "real Microsoft" and not customer service to refer to them.
Facebook is MPK Apple is Cupertino
Do people just forget that the three letter organisations of the USA are always able to obtain MSFT touching data??
Careful, Tenable, lest we throw stones at your bucket of regex called Nessus