Partner Login

Microsoft’s Security Saga Continues: Insights from Whistleblower

Written by Hornetsecurity / 22.07.2024 /

You are currently viewing a placeholder content from Youtube. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.

More Information
Unblock Video here! Accept required service and unblock content

You are currently viewing a placeholder content from Libsyn. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.

Unblock content
More Information

In this episode, Andy sits down once again with Paul to continue their conversation about Microsoft’s struggles with security. The episode focuses on a recent report from ProPublica about a Microsoft whistleblower named Andrew Harris. The report alleges that Microsoft was aware of a serious vulnerability in its on-premises Active Directory Federation Services (ADFS) software that could have enabled the SolarWinds supply chain attack, but chose not to fix it or disclose it to customers. 

Andy and Paul discuss how Microsoft’s focus on new features and cloud growth over security, as well as the desire to win lucrative government contracts, may have contributed to this decision. They also touch on the challenges faced by Microsoft’s security response team and the broader issue of security being seen as a cost center rather than a profit driver.   

Key Takeaways: 

  • Microsoft ignored a serious ADFS vulnerability that could have enabled widespread attacks.
  • Security is often viewed as a cost center at Microsoft, rather than a profit driver. This mindset led to the ADFS vulnerability being ignored, as fixing it was not seen as a priority compared to delivering new features and products.
  • Microsoft was criticized for not being transparent about the ADFS vulnerability and not giving customers the option to implement mitigations, even if it meant sacrificing some functionality.
  • The ADFS incident is symptomatic of broader security culture problems at Microsoft, where security is not always prioritized, and technical debt or legacy systems are not adequately addressed. 

Timestamps: 

(02:22) – Explaining the Whistleblower’s Allegations and the SolarWinds Attack 

(07:32) – Vulnerability in ADFS and Microsoft’s “Security Boundaries” Argument 

(13:06) – Why Was the Issue Swept Under the Rug? 

(19:16) – The Challenges Faced by the Microsoft Security Response Center (MSRC) 

(26:24) – Satya Nadella’s Comments on Prioritizing Security over New Features 

(27:38) – The Controversy Around the “Recall” Feature in Windows 11 

Episode Resources: 

ProPublica Article

You might also be interested in