Why does the mother of the term “Trustworthy Computing” not have a good track record for producing code with airtight security?
This week, a serious vulnerability in Microsoft Teams was disclosed, whereby the abuse of the software’s PowerApps functionality can allow bad actors to gain persistent read/ write access to victims’ emails, Team chats, OneDrive, SharePoint and other services.
Apparently, the exploitation of this vulnerability is limited to authenticated users within a Teams organization who have the ability to create Power Apps tabs. This means the vulnerability cannot be exploited by an untrusted/unauthenticated attacker.
However, the permission to create these tabs is enabled by default, meaning a third-party contractor, disgruntled employee, or even an ex-employee whose access hasn’t been revoked could launch an attack.
Walking the talk, or not
Ever since Bill Gates’ famous email about Trustworthy Computing nearly twenty years ago, millions of Microsoft users have relied on the software giant to protect their devices. With this event adding to the list of security bugs, vulnerabilities and coding lapses, what is the world to do?
Commented Jonathan Knudsen, Senior Security Strategist, Synopsys Software, about Microsoft’s software development approach: “First, even when you do everything right, things can still go sideways. Using a secure development life cycle is the best way to reduce risk when building software, but you can never eliminate risk entirely. Therefore, having a plan in place to respond to incidents is critically important, which is exactly what happened here.
Second, said Knudsen, security researchers are an important part of the ecosystem, and can be friendly allies when treated properly. “This means that your organization should have one clear place for researchers to report issues, and you must respond to all inbound correspondence in a timely and respectful manner. Finally, a solid, automated update procedure helps minimize the impact of disclosures like these. In this case, after Microsoft teams fixed the vulnerability, customers’ software was updated automatically.”
Users are advised to take security into their own hands by adding additional security solutions on top of the Windows operating system and associated apps.