In the security world, researchers generally agree to wait a period of at least 90 days before disclosing the details of a flaw they have discovered. A deadline which is based in particular on the calendar adopted by the Google Project Zero team.
But sometimes, fixing a flaw can take a long time…
SynLapse
Security researcher Tzah Pahima, who works for cybersecurity company Orca, discovered a critical security flaw affecting Azure Synapse Analytics, a data analysis service provided on Microsoft’s cloud.
The vulnerability discovered by the researcher, dubbed “SynLapse”, allowed attackers outside the company to access information hosted within the Azure Synapse Analytics service, as well as confidential information belonging to users of the service.
“By knowing the simple name of an Azure Synapse workspace, we are able to gain access to multiple user accounts with access to that space, leak the access credentials of customers of that workspace, communicate with other customer workspaces and take control of the entire Azure batch pool used to run the shared workspaces. ยป
Never two without three
A rather serious flaw that the researcher reported to Microsoft on January 4. But fixing the problem turned out to be more complicated than expected, according to the timeline published by the researcher.
During the following two months, Microsoft requests more information on the vulnerability, before deploying a first partial patch at the end of March. A first patch that Orca researchers managed to circumvent, causing new meetings and explanations with Microsoft.
A second patch is proposed at the beginning of April, which Orca researchers also manage to circumvent. A third patch, developed in mid-April, corrects most of the vulnerability this time, and additional protections are implemented by Microsoft teams in May, effectively completing the correction of this vulnerability. Customers will not be informed of the existence of the flaw and its fix until May.
The law of series
It therefore took between four and five months to completely correct the problem. Orca researchers say they received a bounty of $60,000 for the bug bounty offered by Microsoft.
But Orca researchers are not the only ones to highlight Microsoft’s difficulties in fixing the reported flaws in Azure Synapse. Tenable explained in a blog post earlier this month that it faced similar difficulties after reporting two flaws in Microsoft’s service in early March.
Tenable’s problems are not so much about fix times, but about characterizing vulnerabilities and communicating these vulnerabilities and their fixes to the public. Tenable thus underlines the fact that the vulnerabilities affecting the cloud do not have a CVE identifier, the method traditionally used to identify vulnerabilities in software.
As of April 30, Microsoft patched the vulnerabilities reported by Tenable without notifying customers that the patch was in place. A patch which is also partial, Tenable reporting that part of the vulnerability could still be exploited. And the company indicates for its part that it has not received any bonus for this report.