Power Platform Custom Code vulnerability addressed by Microsoft

On Friday, Microsoft revealed that it has resolved a critical security issue affecting Power Platform, although it faced criticism for not acting promptly. 

The vulnerability could have allowed unauthorized access to Custom Code functions used for Power Platform custom connectors, potentially leading to unintended information disclosure if sensitive data was embedded in the Custom Code. Microsoft clarified that customers don’t need to take any action, and there’s no evidence of the flaw being exploited.

📣 Excited to share a Power Platform Solution for complex #dataverse form validation in #powerapps. A custom Page for generating tailored JavaScript code is now available! Explore with the guide on GitHub: https://t.co/BytP7NMm3c Feedback is welcomed! #communityrocks… pic.twitter.com/KEe7YTajBZ

— Ahmed Salih-Microsoft MVP (@Ahmed_Salih_PPP) August 2, 2023

Is Microsoft late to take action?

The cybersecurity firm Tenable discovered and reported the flaw to Microsoft on March 30, 2023. The problem arose due to insufficient access control to Azure Function hosts, which could enable limited, unauthorized access to cross-tenant applications and sensitive data. Microsoft issued an initial fix on June 7, 2023, but the complete resolution wasn’t implemented until August 2, 2023.

Source: Tenable

The delay in fixing the flaw drew criticism from Tenable CEO Amit Yoran, who accused Microsoft of being “grossly irresponsible, if not blatantly negligent.” Yoran argued that cloud providers should follow a shared responsibility model and be more transparent about addressing issues promptly.

“And, to the best of our knowledge, they still have no idea they are at risk and, therefore, can’t make an informed decision about compensating controls and other risk mitigating actions. Microsoft claims that they will fix the issue by the end of September, four months after we notified them. That’s grossly irresponsible, if not blatantly negligent. We know about the issue, Microsoft knows about the issue, and hopefully threat actors don’t.”

In its defense, Microsoft stated that it follows a rigorous process for investigating and deploying fixes, considering the balance between speed, safety, and quality. They prioritize protection from actively exploiting vulnerabilities and act swiftly if any threats are detected.

“As part of preparing security fixes, we follow an extensive process involving thorough investigation, update development, and compatibility testing. Ultimately, developing a security update is a delicate balance between speed and safety of applying the fix and quality of the fix.”

Thought of the day

Microsoft: A name to trust, but not now! With increasing threats and exploitable vulnerabilities, we are still determining how the hackers ignored this. Being knowledgeable and informed by this research company several times, Microsoft remained ignorant.