Kevin BeaumontMicrosoft have hidden a vulnerability in M365 Copilot from customers.
Copilot allowed access to enterprise files without generating access logs, MS patched it but didn’t issue a CVE or tell anyone about it.
So up until a year ago, every customer product facing cloud vuln they fixed wasn’t disclosed to customers - and yes, there are dead bodies in cupboards over that. Everything wasn’t magic immune from vulns until a year ago.
The progress here is they now opt to disclose cloud critical vulns - but nothing below that severity, which is a lot.
To give MS their credit, they’re the only cloud provider I’ve seen disclosing any cloud service vulns via CVE.
namlazMy feeling is still there needs to be extreme pressure from major governments that all cloud providers they use disclose all cloud service vulns as CVEs as part of their contracts - eg DoD, NHS - or no signing for new services.
Chester Wisniewski 🇨🇦@GossiTheDog This doesn't seem like something the US would do considering they defunded CVE...
purple: licenced to sticky plaster@chetwisniewski @GossiTheDog nor the UK considering gestures at basically every NHS IT project ever
Hugo Mills@GossiTheDog Oh, if only this would happen.
Sadly, the perceived (or actual short term) costs of doing so are going to be far too high for anyone on the purchase side of things to want it.
Dr Know@GossiTheDog seems like a great feature for an up and coming compute provider, transparent operations
ocdtrekkie@GossiTheDog I think we are well into "nobody ever got fired for choosing AWS/Azure" territory. Getting caught letting Chinese citizens work on DoD systems should realistically disqualify Microsoft from any government contracts. It won't though.
Claus Cramon Houmann@GossiTheDog Its coming with CRA/EUCS, ENISA says. Unavoidable.