Datacenter Business Review: Microsoft Speaks About Zero-Daying Their Customers

An executive at Microsoft has spoken out in defence of the company’s vulnerability disclosure policies, arguing that they give security teams enough information to make educated patching decisions without putting them at risk from threat actors who seek to quickly reverse-engineer patches and exploit them.

Microsoft’s Security Response Center’s corporate vice president, Aanchal Gupta, told Dark Reading at Black Hat USA that the corporation has decided to be sparse with first CVE disclosures in order to safeguard end users. Microsoft’s CVEs detail the vulnerability’s impact and the chance of it being exploited (as well as if it is currently being exploited), but the corporation will be cautious in how it discloses exploiting the material.

Microsoft’s current policy, as described by Gupta, is to allow 30 days following the announcement of the patch before adding more information to the CVE describing the issue and its exploitability. She says the idea is to allow security administrators ample time to implement the patch without putting them in danger. Gupta warns that disclosing vulnerability exploitation details in a CVE could result in “zero-daying” customers.

Very Little Data on Potential Weaknesses

Security experts have criticized Microsoft, along with other large software companies, for the lack of detail in their vulnerability disclosures. Microsoft has been utilizing the CVSS framework to characterize vulnerabilities in its security update guide since November 2020. Attributes such as attack vectors, complexities, and the types of advantages an attacker might use have been described. One of the features of the updates is a score that rates the severity of the situation.

However, many claim the fixes are unclear and don’t provide enough detail on the vulnerable components or possible exploits. According to them, the information provided by Microsoft’s present method of classifying vulnerabilities as either “Exploitation More Likely” or “Exploitation Less Likely” is insufficient to make risk-based priority decisions.

Lately, Microsoft has been called out for allegedly hiding information about security flaws in its cloud service. The CEO of Tenable, Amit Yoran, accused Microsoft in June of “silently” having patched a few Azure vulnerabilities that were found and disclosed by Tenable’s researchers.

Yoran explained that both of those vulnerabilities could be exploited by any individual who was using the Azure Synapse System. It was determined that Microsoft secretly patched the problems by keeping the risks under wraps from the users.

When asked about other companies that faced problems after disclosing Azure vulnerabilities to Microsoft, Yoran also named Orca Security and Wiz.

The sales outlook was lower than initially foreseen, which led to the stock price of Marvell Technology falling.

Due to supply-chain difficulties and delayed technology spending, Marvell Technology, a manufacturer of semiconductor chips used in data centres, predicted disappointing sales.

Investors worried about a downturn in the semiconductor industry sold shares of Marvell Technology Inc., a chipmaker for data centres, networking, and other equipment, in late trade.

The company announced on Thursday that revenue for the third quarter would be a little more than $1.5 billion. That’s almost similar to the $1.58 billion that was predicted by analysts on average. When certain items are taken into account, Marvell anticipates earnings of about 59 cents, which is slightly below the 60-cent forecast.

Marvell’s inability to keep up with demand has been exacerbated by widespread supply problems in the semiconductor industry. However, inflation and a weak economy have contributed to a decrease in technology spending, another challenge for the business. For this reason, Marvell and other semiconductor companies saw their stock prices fall in 2022.

At one point during extended trading, the share price dropped by as much as 6.5% before recovering somewhat. Through Thursday’s close, shares of Marvell were down 37% for the year.

However, CEO Matt Murphy said sales are to increase in the fourth quarter due to better supply conditions.

Read Microsoft: We Don’t Want to Zero-Day Our Customers for the full story.

Keep watching this space for more Datacenter News, stories and updates.