BLACK HAT USA — Las Vegas — A top Microsoft security executive today defended the company's vulnerability disclosure policies as providing enough information for security teams to make informed patching decisions without putting them at risk of attack from threat actors looking to quickly reverse-engineer patches for exploitation.
In a conversation with Dark Reading at Black Hat USA, the corporate vice president of Microsoft's Security Response Center, Aanchal Gupta, said the company has consciously decided to limit the information it provides initially with its CVEs to protect users. While Microsoft CVEs provide information on the severity of the bug, and the likelihood of it being exploited (and whether it is being actively exploited), the company will be judicious about how it releases vulnerability exploit information.
For most vulnerabilities, Microsoft's current approach is to give a 30-day window from patch disclosure before it fills in the CVE with more details about the vulnerability and its exploitability, Gupta says. The goal is to give security administrations enough time to apply the patch without jeopardizing them, she says. "If, in our CVE, we provided all the details of how vulnerabilities can be exploited, we will be zero-daying our customers," Gupta says.
Sparse Vulnerability Information?
Microsoft — as other major software vendors — has faced criticism from security researchers for the relatively sparse information the company releases with its vulnerability disclosures. Since Nov. 2020, Microsoft has been using the Common Vulnerability Scoring System (CVSS) framework to describe vulnerabilities in its security update guide. The descriptions cover attributes such as attack vector, attack complexity, and the kind of privileges an attacker might have. The updates also provide a score to convey severity ranking.
However, some have described the updates as cryptic and lacking critical information on the components being exploited or how they might be exploited. They have noted that Microsoft's current practice of putting vulnerabilities into an "Exploitation More Likely" or an "Exploitation Less Likely" bucket does not provide enough information to make risk-based prioritization decisions.
More recently, Microsoft has also faced some criticism for its alleged lack of transparency regarding cloud security vulnerabilities. In June, Tenable's CEO Amit Yoran accused the company of "silently" patching a couple of Azure vulnerabilities that Tenable's researchers had discovered and reported.
"Both of these vulnerabilities were exploitable by anyone using the Azure Synapse service," Yoran wrote. "After evaluating the situation, Microsoft decided to silently patch one of the problems, downplaying the risk," and without notifying customers.
Yoran pointed to other vendors — such as Orca Security and Wiz — that had encountered similar issues after they disclosed vulnerabilities in Azure to Microsoft.
Consistent with MITRE's CVE Policies
Gupta says Microsoft's decision about whether to issue a CVE for a vulnerability is consistent with the policies of MITRE's CVE program.
"As per their policy, if there is no customer action needed, we are not required to issue a CVE," she says. "The goal is to keep the noise level down for organizations and not burden them with information they can do little with."
"You need not know the 50 things Microsoft is doing to keep things secure on a day-to-day basis," she notes.
Gupta points to last year's disclosure by Wiz of four critical vulnerabilities in the Open Management Infrastructure (OMI) component in Azure as an example of how Microsoft handles situations where a cloud vulnerability might affect customers. In that situation, Microsoft's strategy was to directly contact organizations that are impacted.
"What we do is send one-to-one notifications to customers because we don't want this info to get lost," she says "We issue a CVE, but we also send a notice to customers because if it is in an environment that you are responsible for patching, we recommend you patch it quickly."
Sometimes an organization might wonder why they were not notified of an issue — that's likely because they are not impacted, Gupta says.