1,460-Day Old Known Vulnerability Catches Microsoft Off Guard

Vulnerabilities are a fact of life. I started my career in cybersecurity finding and exploiting those vulnerabilities to conduct nation-state offensive operations. I understand the simple reality that there is no such thing as perfect code, and that even the most secure application can be compromised given enough time. But that is not an excuse for writing bad code or failing to address known issues. 

Of course, defenders must protect their environments regardless. It doesn’t matter if it’s a zero-day attack or an exploit targeting a flaw that has been known for years--we have to detect and stop attacks. Period. But the software suppliers also have to do their due diligence to assure they are not introducing exploitable vulnerabilities into the wild. 

So what do you do if the company that is responsible for introducing the highest volume of vulnerabilities is also trying to sell you security tools to protect you from exploits against those vulnerabilities that have resulted in the biggest attacks in recent memory?

A Bad Year for Microsoft

Microsoft continues to make headlines week after week for vulnerabilities in their operating systems, platforms, and applications that expose customers to risk. Sadly, the vast majority of advanced attacks just in the past year—SolarWinds, Colonial Pipeline, HAFNIUM—all have one major thing in common: they were compromised in large part due to Microsoft vulnerabilities. 

In July of this year, Microsoft customers had to react to the PrintNightmare vulnerability—which is still being exploited by ransomware gangs. Just in the past few weeks, Microsoft issued a warning to customers of its Azure cloud platform that configuration errors had left customer data exposed for years, followed by a security advisory for a zero-day vulnerability in MSHTML, followed by reports of a critical security vulnerability that can allow attackers to compromise containers in Azure, and the revelation that Microsoft’s Open Management Infrastructure (OMI) agent— which is embedded in many popular Azure services—contains vulnerabilities that many customers were forced to mitigate manually. 

Yes, vulnerabilities are expected, but it shouldn’t be a weekly occurrence affecting millions of customers around the world. In fact, Microsoft has released a patch for at least one zero-day vulnerability every month in 2021 so far except for May. 

The most important thing, though, is not the vulnerabilities themselves, but how a vendor responds to them. Organizations must take responsibility, communicate clearly with affected customers, and act swiftly to address the problem. It should be a red flag, though, if the same issues keep recurring or if the vendor is cavalier in dealing with them. 

Microsoft is well into red flag territory at this point. 

Researchers from Guardicore Labs shared analysis of an issue with Autodiscover—a protocol that allows devices to authenticate to Microsoft Exchange Servers and automatically configure client access. The team found a design flaw that can be exploited to leak web requests and allow credentials to be captured. Guardicore researchers captured more than 370,000 Windows domain credentials, and nearly 100,000 unique sets of credentials in just a few months. 

Microsoft reacted by stating that they are investigating the issue and will take appropriate steps to protect customers. They also chastised the researchers for violating established “responsible disclosure” practices and publishing the information without first notifying Microsoft. They stated, “Unfortunately, this issue was not reported to us before the researcher marketing team presented it to the media, so we learned of the claims today.”

Except they didn’t. Not really. The crux of the issue stems from flaws that were first identified in 2017. 

Amit Serper, AVP of Security Research for Guardicore Labs, fired back on Twitter to explain, “My report clearly cites research from 2017 presenting this issue: see this paper from 2017, as was presented in Blackhat Asia 2017. If this was an 0day, sure. This is a 1460day, at least. Saying that Microsoft "didn't know about it" is “untrue.””

Microsoft also tried to point fingers and avoid taking responsibility for the OMIgod flaws. Arstechnica reports that, “Microsoft representatives initially dismissed the vulnerabilities as "out of scope" for Azure. According to Wiz, Microsoft representatives in a phone call further characterized bugs in OMI as an "open source" problem.”

Defenders Must Defend All Vulnerabilities

Despite of all of these vulnerabilities they regularly introduce into the market, Microsoft professes to be in the business of cybersecurity as well. They push inferior security products on their customers through heavy-handed E5 licensing bundles that can’t protect customers from the exploits targeting vulnerabilities in their own products. 

Vulnerabilities happen, but they shouldn’t happen with such consistency. Clearly, Microsoft has enough on its plate just trying to make their own operating systems, cloud platforms, and applications secure. 

That’s why you can’t rely on Microsoft to protect you. I built my early career on finding and exploiting vulnerabilities--often in Microsoft products because their software is so ubiquitous. I got into cybersecurity and started Cybereason with a mission to arm defenders with the tools they need to guard against attacks regardless of vulnerabilities. It is our only focus--not something we dabble in on the side to make a few extra dollars. 

You can’t afford to expose yourself to risk from zero-day vulnerabilities, or 1,460-day old unmitigated vulnerabilities. While Microsoft works to clean up its messes, you need to have security tools in place that can effectively detect and defend against zero-day attacks and other exploits targeting the countless vulnerabilities in Microsoft software and services.

Lior Div
About the Author

Lior Div

Lior Div, CEO and co-founder of Cybereason, began his career and later served as a Commander in the famed Unit 8200. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He is a renowned expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.

All Posts by Lior Div