Microsoft on Friday disclosed that it has addressed a critical security flaw impacting Power Platform, but not before it came under criticism for its failure to swiftly act on it.
“The vulnerability could lead to unauthorized access to Custom Code functions used for Power Platform custom connectors,” the tech giant said.
“The potential impact could be unintended information disclosure if secrets or other sensitive information were embedded in the Custom Code function.”
The cybersecurity firm said the flaw arises as a result of insufficient access control to Azure Function hosts, leading to a scenario where a threat actor could intercept OAuth client IDs and secrets, as well as other forms of authentication.
The months-long delay in patching the flaw attracted scrutiny from Tenable CEO Amit Yoran, who slammed the Windows maker for being “grossly irresponsible, if not blatantly negligent.”
“Cloud providers have long espoused the shared responsibility model,” Yoran said in a post shared on LinkedIn. “That model is irretrievably broken if your cloud vendor doesn’t notify you of issues as they arise and apply fixes openly.”
“Not all fixes are equal,” it further added. “Some can be completed and safely applied very quickly, others can take longer. In order to protect our customers from an exploit of an embargoed security vulnerability, we also start to monitor any reported security vulnerability of active exploitation and move swiftly if we see any active exploit.”
Source: https://thehackernews.com/
