Power platform custom code issues are now fixed by Microsoft, following harsh criticism

August 7, 2023
power platform custom code

Power platform custom code information disclosure vulnerabilities were mitigated by Microsoft, as the Redmond-based tech giant reports in its latest blog post. This fast solution comes weeks after Microsoft was harshly criticized by Tenable’s CEO, Amit Yoran, regarding security issues. Yoran said in his blog post:

Microsoft’s lack of transparency applies to breaches, irresponsible security practices and to vulnerabilities, all of which expose their customers to risks they are deliberately kept in the dark about.

If you aren’t up to date, Tenable discovered a security issue that would enable an unauthenticated attacker to access authentication information, such as credentials to a bank account, back in March, earlier this year. The company then addressed this issue to Microsoft, who, by Tenable’s account, took more than 90 days to implement a partial fix to it. Yoran said that the issue was still not resolved, and customers could be at serious risk.

That means that as of today, the bank I referenced above is still vulnerable, more than 120 days since we reported the issue, as are all of the other organizations that had launched the service prior to the fix. And, to the best of our knowledge, they still have no idea they are at risk and therefore can’t make an informed decision about compensating controls and other risk mitigating actions.

However, it seems that the problem was finally addressed by Microsoft in its entirety.

Power platform custom code information disclosure vulnerability solved

A security issue concerning Power Platform Custom Connectors using Custom Code could lead to unauthorized access to Custom Code functions used for Power Platform custom connectors. If sensitive data such as banking details or such, is embedded in this Custom Code, then the information could be pottentially at risk.

However, it seems that Microsoft’s investigation revealed that only the security researcher who first reported the issue was aware of this vulnerability. This means the other threat actors, such as Storm-0558, were not aware of the issue.

While the impacted customers were notified by the security researcher, Microsoft solved the power platform custom code information disclosure vulnerability in its entirety on August 4, 2023.

Microsoft issued an initial fix on 7 June 2023 to mitigate this issue for a majority of customers. Investigation into the subsequent report from Tenable on 10 July 2023 revealed that a very small subset of Custom Code in a soft deleted state were still impacted. This soft deleted state exists to enable quick recovery in case of accidental deletion of custom connectors as a resiliency mechanism. Microsoft engineering took steps to ensure and validate complete mitigation for any potentially remaining customers using Custom Code functions. This work was completed on 2 August 2023.

The Redmond-based tech giant is also encouraging everyone to come to them with any security vulnerabilities they might find, as cybersecurity is a shared responsibility, according to Microsoft.

Microsoft also appreciates the security community’s research and disclosure of vulnerabilities. Responsible research and mitigation are critical for safeguarding our customers and this comes with a shared responsibility to be factual, understand processes and work together. Any deviation from this process puts customers and our communities at undue security risk. As always, Microsoft’s top priority is to protect and be transparent with our customers and we remain steadfast in our mission.

This power platform custom code information disclosure vulnerability has been solved for all customers and no action from you is needed. 

What do you think about this? Is Microsoft right when it comes to the shared responsibility of cybersecurity or not? Let us know your opinion in the comments section below.

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}