What Apple and Microsoft have done is like someone building a house is such a remote rural area where you don’t expect to meet another human for hundreds of miles. Then leave the door always open, be it day or night. Technically, your house is secure since no one is expected to come around; until they do.
News of Apple shipping MacOS High Sierra with no root password first surfaced late last month. It now appears Microsoft too has left the front door open on Windows security door, simply because it takes too much technical skills and the right person to dive that deep into the OS configurations.
Software developer Matthias Gliwka discovered a flaw in Microsoft’s wildcard transport layer security (TLS) certificate. Gliwka says it includes a private key when you are setting up a sandbox testing environment for Microsoft’s Customer Relationship Manager, Enterprise Resource Planning, and Dynamics 365 software.
The private key is flawed given when a hacker exports it, they can decrypt traffic that was earlier scrambled by a digital credential by impersonating the server. This trick will expose the user’s communication without ever being detected.
The hack affects all *.sandbox.operations.dynamics.com domains and extends to other companies; it will give access to all Dynamics 365 sandbox environment. Often sandbox used for testing contains an entire mirror of the final database.
Microsoft is currently getting a lot of heat from various stakeholders about this vulnerability, not that anyone expects the company to be perfect, but because this is not a zero-day vulnerability. Gliwka reported the matter to Microsoft Security Response Center (MSRC) back in August. Microsoft response was that the matter does not meet the “bar for security servicing.”
Microsoft argues that for the matter to be a true security threat, the hacker must first have the admin credentials. Gliwka kept ‘pestering’ Microsoft until October when he finally took to Twitter and asked Microsoft publicly about fixing the flaw. Microsoft swiftly responded saying they are working on a fix for the problem.
Perhaps that was just Microsoft doing lips service since there was no fix to the flaw forthcoming until a journalist from a German media house opened a ticket with Mozilla bug tracker system. Then last week (100 days later) Microsoft solved the issue. No one expects Microsoft or any other tech company to be perfect, but the fact they waited a long time to issue the update is what is rubbing people the wrong way.