14 DAY TRIAL // Microsoft needed more than 100 days to fix a critical credential leak in Dynamics 365 after the company originally ignored the bug report and only reacted after being warned that details could go public.
Software engineer Matthias Gliwka explains in a long blog post that he discovered and reported a security flaw in Microsoft’s Customer Relationship Manager and Enterprise Resource Planning software in August, but the software giant refused to fix it on claims that administrator credentials would be required.
Gliwka says he came across a wildcard transport layer security (TLS) certificate that also included the private key, which would in turn expose communications by anyone who could decrypt traffic. The developer says that extracting the certificate grants access to any sandbox environment, with absolutely no warning or message displayed to clients.
The first attempt to have this security vulnerability fixed took place in mid-August when the Microsoft Security Response Center (MSRC) was contacted via PGP-encrypted email, he says.
Without a reply from Microsoft, Gliwka then contacted Microsoft once again, only to receive an email five days later informing that this attack scenario “sounds as the attacker has already received or bypassed admin credentials,” suggesting this wasn’t a vulnerability on Microsoft’s side.
110 days to fix the problem
Gliwka responded with a more detailed explanation of the problem, and after several emails that never received an answer, he got in touch with Microsoft support to ask for a phone number and talk to MSRC directly.
“A few minutes later, I’ve received this phone number from the support: (562) 981–7600. Could that be the real deal? A call to this number revealed, that it belongs to the Marine Spill Response Corporation (MSRC), the largest, dedicated oil spill and emergency response organization in the United States,” he writes.
Eventually, Gliwka turned to Twitter in October and threatened to make all details public, but because of the risks involved with putting this information in the hands of cybercrminals, he eventually decided to get in touch with German journalist Hanno Bock. After further talks with Microsoft and a ticket on the Mozilla bug tracker, the software giant finally acknowledged the issue and released a fix.
For what it’s worth, the issue was discovered on August 14, reported to Microsoft on August 17, and fixed by the company on December 5. That’s 110 days, or 3 months and 18 days.