CrowdStrike: Microsoft Is Failing At Security

CrowdStrike says Microsoft is failing at security and stresses the need for more scrutiny of its ... [+] practices.

Microsoft helped launch the PC and internet age. It is an established brand and a household name around the world. Individuals, companies, and government agencies depend on the operating systems, applications, and cloud services developed by Microsoft—which is why vulnerabilities in Microsoft software can have potentially massive consequences.

In the wake of recent vulnerabilities and high-profile attacks, there is growing concern regarding vulnerabilities present in Microsoft's software and increasing intensity focused on the question of Microsoft’s culpability. Customers, competitors, and even U.S. senators have stressed that these issues expose companies and government agencies to significant risk and raise questions about the company's practices in both cybersecurity and competition.

I recently spoke to Shawn Henry, Chief Security Officer (CSO) at CrowdStrike, about Microsoft. Henry has broad and unique perspective to bring to the issue, having spent more than 24 years with the FBI before joining CrowdStrike. Henry led the global Cyber Division and Critical Incident Response Group and has insight that straddles the public and private sectors.

Before we get into more of my conversation with Henry, though, let’s set the stage on recent events.

Microsoft releases security patches on the second Tuesday of each month—which was this week. For August 2023, Microsoft issued two security advisories and addressed 74 different CVEs. The flaws affected everything from Teams and Exchange Server to the Windows Kernel and Microsoft Office. In all, there were six vulnerabilities rated as Critical, and 67 with a rating of Important—with 23 exploitable via remote code execution (RCE).

That brings the total for the year so far to 690 vulnerabilities fixed by Microsoft. Nearly 10% (63) have been rated as Critical, while almost a quarter (24%) allowed elevation of privileges if properly exploited, and more than a third (36%) allowed for remote code execution.

There is no such thing as perfect code, so when you are a company with literally hundreds of millions of lines of code, there will be flaws. The volume and criticality are another issue, though. Henry and I talked about how it is that consumers or government agencies don’t hold Microsoft accountable for the quality of their products.

Henry noted, “If we had the government buying tanks that stopped on the battlefield or jets that couldn't take off—and it happened month after month, year after year for decades—I think there'd be an issue. There'd be a big problem.”

Microsoft has always been a popular target for threat actors. When you have the dominant operating system in the world, and a formidable chunk of market share for email platforms, productivity software, and cloud services and applications, bad guys are going to focus their attention on finding weak links to exploit.

In the past few months, Microsoft's software has seen a series of high-profile breaches and security flaws. From vulnerabilities in the Windows operating system to holes in various applications and services, Microsoft's products have become a recurring point of attack for malicious hackers and cybercriminals.

These vulnerabilities have had far-reaching implications. Businesses suffer financial losses and reputational damage, while government agencies face risks to national security. The dependency on Microsoft's products in vital sectors further exacerbates these concerns.

Senator Ron Wyden has been a vocal critic of Microsoft's handling of security. Following revelations that attackers working for China were able to access Microsoft’s email platform and spy on senior diplomats, including the U.S. Ambassador to China, the senator has called for an investigation by the Cybersecurity and Infrastructure Security Agency (CISA), Department of Justice (DOJ), and the Federal Trade Commission (FTC) into Microsoft's practices.

The letter highlights several instances of security breaches and failures and calls into question Microsoft's commitment to protecting its users. Senator Wyden's concerns are backed by many in the industry, as detailed in a Reuters report.

When I talked with CrowdStrike’s CSO, one of the things we talked about was the fact that Microsoft has hundreds of software engineers working in China. Microsoft is a global company, and there is obviously a need to regionalize or localize aspects of the software, so at face value, it seems reasonable. However, the rules are different in China—and that has a potentially huge impact.

China is a huge market, and the country is a key partner for the U.S. and other Western nations, but it is admittedly a “frenemy” or “coopetition” scenario because China is also a primary competitor and potential threat. China is playing the long game—executing a 100-year plan to establish itself as the preeminent superpower by 2047. They are using every means necessary—Chinese citizens, ex-pats, witting and unwitting Americans, and others in an effort to collect intelligence on the U.S. economy, military, defense industrial base, technology, and other sectors.

I don’t fault China—or any nation—for striving to be more powerful or influential, and I assume that the United States and other nations follow many of the same practices when it comes to gathering intelligence. Where it gets more complicated, though, is that companies in China answer to the CCP (Chinese Communist Party), and the government requires that members of the party hold decision-making executive roles. There is a lot that must be shared with the government. Businesses are expected to provide keys to encrypted devices and provide access to offices—and to source code.

“You're telling the public they can't use Huawei, and they can't let kids watch dance videos on TikTok because China is going to collect intelligence—yet the most ubiquitous software, which is used throughout the government and throughout every single corporation in this country and around the world, has engineers in China working on their software,” emphasized Henry.

Adding to the complexity of the situation, Microsoft is not just a provider of software and operating systems but also a competitor in the cybersecurity market. They offer tools and services to protect against cyberattacks, often targeting the vulnerabilities present in their own products.

It is impractical to expect Microsoft to write code with zero vulnerabilities. However, it is fair to examine the volume of Critical vulnerabilities and to question whether there is more Microsoft could do to develop more secure code in the first place, as well as if it is reasonable for Microsoft to sell customers security tools and services to defend against attacks on vulnerabilities they created.

It feels a bit like asking the arson to put out the fire. Critics argue that Microsoft should invest its resources and effort in making more secure products rather than "double-dipping" by selling additional software and services to protect the flaws they exposed users to. A report on Cyberscoop details an example of this negligence, which can leave consumers feeling trapped in a cycle of dependency on Microsoft.

Personally, I am a fan of Microsoft. I always have been. I prefer the Windows operating system, and I have used a Microsoft Surface device as my day-to-day PC for the past decade. The vast majority of my work days are spent using Microsoft software—Word, Outlook, Excel, PowerPoint, Teams, etc. I highly recommend Microsoft tools and applications.

However, Microsoft's vulnerabilities are a growing concern that goes beyond mere technical flaws. The issues raise critical questions about corporate responsibility, market competition, and national security. Senator Ron Wyden's call for an investigation highlights the urgency of the situation.

It is time for a thorough examination of Microsoft's practices and a concerted effort from the company to rebuild trust. This involves not just patching existing vulnerabilities but creating a culture that prioritizes security, transparency, and the interests of users above profit-driven motives.

It is a complex challenge, but one that Microsoft must meet to maintain its credibility as a leader in the technology industry.

Microsoft tests free GPT-4 toggle in Bing Chat AI on Android and iOS

Microsoft has rolled out a new server-side update for Bing Chat app on Android and iOS with a new toggle called “GPT-4”. This new feature allows you to unlock the full potential of ChatGPT GPT-4, in addition to the existing “tones” feature.

As you probably know, Bing Chat allows you to choose the style in which Bing responds, such as “Creative”, “Balance”, or “More Precise”. With the new GPT-4 addition, the chat experience is set to be even better. This appears to be part of the tech giant’s plan to make chatting feel much more like talking to a chatbot than an assistant for Bing.com

Microsoft is rolling out the new GPT-4 toggle for Android and iOS users via Bing app. So what’s the new feature all about? Microsoft support staff told us the new GPT-4 toggle is a feature that allows you to chat with GPT-4, a multimodal large language model created by OpenAl.

It appears the GPT-4 toggle lets you chat with Bing’s GPT-4 model without extra customization applied by Microsoft. If you click the three dots menu, you can return to the existing tones feature, which lets you use Microsoft’s customization.

“Please note that GPT-4 is not perfect and may make mistakes or produce inappropriate responses. If you encounter any issues or have any feedback, please let us know by using the feedback button on the chat interface,” a Microsoft staff told us.

Microsoft is internally exploring a no search or offline mode for Bing Chat.

Here’s a bit about how Bing usually works: When you ask a question, it often searches the internet for the answer, similar to how we might use a search engine like Google. But sometimes, for simple questions, this can seem slow or unnecessary.

Some users have mentioned that they don’t always want Bing to search the web, especially when using a feature on Windows 11 called Copilot. They prefer if Bing just gave quick answers without always going online.

Our sources at Microsoft have given some hints about what’s coming next. The company is thinking about a new approach for Bing AI Chat.

In this approach, Bing might not always look up answers on the internet. Instead, it could answer from what it already knows, making the chat faster and smoother.

For instance, if someone often asks Bing for help with a program like Microsoft Word, Bing currently searches online each time, even for common questions. Imagine asking Bing, “How do I bold text in Word?” Currently, Bing might search online to provide an answer. But with the planned changes, Bing could quickly tell users the steps without the need to search.

In conclusion, Microsoft’s updates to Bing Chat AI, especially with the addition of GPT-4, show a strong move towards making the tool more user-friendly. With these changes, Bing could become a preferred choice for many looking for a smooth and efficient chatbot experience.

Microsoft to update Office Pro Plus after Dutch ministry questions privacy

Microsoft plans to update its Office Pro Plus products by the end of April to address a series of privacy concerns raised in an audit commissioned by the Dutch justice ministry that flagged what the auditors called "high risks" to government users' privacy.

The update for many of the company's Office Pro Plus customers, which has been confirmed by Microsoft, will address concerns relating to a package of popular Microsoft programs — namely that they were sending diagnostic data from Europe to the United States without adequate documentation and user controls over what was sent.

Microsoft and the Dutch justice ministry agreed on the changes as part of an "improvement plan" with an April deadline. A ministry spokesman told POLITICO that if Microsoft's responses proved "unsatisfactory," the ministry could raise the concerns with European data protection authorities for further action that could include "enforcement measures."

In a statement, Microsoft's top privacy and regulatory counsel, Julie Brill, underscored that the Dutch ministry had commissioned the audit as a customer of Microsoft and had not sought regulatory action against the company.

“The ministry commissioned the report in its capacity as a customer to clarify how our services are run and we’re working with the ministry’s staff to share additional information and help resolve its questions as we would for all enterprise customers,” Brill said.

She added that the issues raised in the report, conducted by the Privacy Company, a Hague-based consultancy, relate to “diagnostic data in one product,” Office Pro Plus, and that the company is “confident this is consistent with Dutch law and GDPR,” Europe’s General Data Protection Regulation privacy law. Office Pro Plus includes a range of Microsoft programs.

“We feel good about what we’re doing to give customers transparency and choice on the diagnostic data they share with us, but we always want to do more,” Brill said. “In the coming weeks we will take additional steps to make it easier for customers to understand what data needs to go to Microsoft to run our services and why, and where data-sharing is optional.”

When Microsoft updates products, the update usually takes place worldwide for users of the product and the company gave no indication that would be different in this case.

Under the EU's data protection laws, the Irish Data Protection Commission is the “lead supervisory authority” in charge of making sure Microsoft complies with the rules. If the Netherlands chose to escalate its concerns, it could forward a request on the relevant issues to the Irish regulator. Meanwhile, any issues would be closely monitored by the European Data Protection Board, which gathers all EU data regulators, and the European Data Protection Supervisor, which may in turn start their own investigations that could lead to enforcement action.

A spokesperson for the Irish Data Protection Commission said it is “aware of this matter and its significance to companies using the Microsoft product in question. On becoming aware, the DPC immediately engaged with Microsoft seeking further information on the processing of telemetry data, in response to which Microsoft is providing detailed responses.”

The Privacy Company, a consulting firm that the ministry contracted to do the audit, said in a blog summary of the findings that “Microsoft systematically collects data on a large scale about the individual use of Word, Excel, PowerPoint and Outlook.”

It added: “Covertly, without informing people ... Microsoft does not offer any choice with regard to the amount of data, or possibility to switch off the collection, or ability to see what data are collected, because the data stream is encoded.” A major concern of the Dutch was that the company sends the data back to its servers in the U.S.

Microsoft doesn't agree with some of the assertions of the Privacy Company's report but is making changes to its products as it routinely does to accommodate customers. The company has previously disclosed to customers its use of diagnostic data.

The new focus on privacy comes as different components of Microsoft, one of the world's most valuable companies, have recently faced scrutiny for a variety of privacy concerns, especially LinkedIn, which Microsoft bought in late 2016 for $26 billion.

Nicole Leverich, a spokesperson for LinkedIn, said “member data is never shared with customers on an individually identifiable level, only in aggregate for ad sales.” Last November, Ireland’s Data Protection Commission found that LinkedIn used the email addresses of around 18 million non-LinkedIn members to target individuals with ads on Facebook all in an effort to grow its customer base.

The regulators noted that LinkedIn’s actions violated its protection standards, although the dispute was amicably resolved.

Leverich said the company “fully cooperated with the DPC’s 2017 investigation of a complaint about a European advertising campaign and found the global processes and procedures we had in place were not followed. We took appropriate action and have made the internal changes to help protect against this happening again.” In Brazil last year, federal prosecutors said Microsoft had violated local laws with its collection of Windows 10 users’ data without getting proper consent. In 2016, France ordered Microsoft to cut back its collection of user data and to halt tracking of the web browsing habits of Windows 10 users without getting permission.

Despite these privacy dustups, Brill touted the recent steps Microsoft has made to improve users’ privacy, including “new features in the Windows setup process, enhanced options for error data reporting in Xbox, a feature called Lockbox for Azure, and updates to our Privacy Dashboard including new tools for parents to manage their children’s settings,” she said.

Microsoft has been the subject of a number of complaints to the Irish Data Protection Commission, according to a commission spokesman, but none were serious enough to warrant a statutory investigation, and of the 16 open investigations into multinational tech companies, none are related to Microsoft. There have been 3,500 complaints to the commission in total.

Unlike other tech companies, like Facebook, that have drawn fire for privacy issues and problems spreading fake news, Microsoft has set itself up as a paragon of good behaviour, welcoming scrutiny into the company and the broader tech industry. Company leadership routinely highlights its proactive investments in privacy. Last year, the U.S. Supreme Court heard arguments after Microsoft challenged an American search warrant for a customer email that resided in Microsoft's servers in Ireland, and last May, the company announced it was extending the privacy rights that are at the core of GDPR to its worldwide consumer customer base.

“Having the scrutiny is actually good, I think,” CEO Satya Nadella told the Washington Post last October. He urged the tech sector to improve its behavior. “Anyone who is providing a very critical service needs to raise the standards of the safety of that technology and the security of that technology.”

The huge problems affecting Facebook have touched other companies as well, including Microsoft. The New York Times reported in December that Facebook gave Bing, Microsoft’s search engine, the ability to view the names of almost all Facebook users’ friends without permission and also had data-sharing arrangements with companies including Netflix, Spotify, Amazon and Yahoo.

“Bing did not maintain profiles based on Facebook data for advertising or personalization purposes, and we took significant engineering steps beyond what Facebook required to ensure this could not happen,” said Brill.

“We ended our contract with Facebook in February 2016 and data stopped appearing in search results.”