Tenable CEO Amit Yoran has blasted Microsoft for “grossly irresponsible” Azure security, saying the company is bordering on “blatantly negligent.”

In a LinkedIn post, Yoran detailed how researchers at his company discovered a flaw in Azure that could “enable an unauthenticated attacker to access cross-tenant applications and sensitive data, such as authentication secrets. To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank.”

Tenable’s researchers notified Microsoft of the issue in March 2023 when it was discovered. Unfortunately, Yoran says Microsoft didn’t fix the issue:

Did Microsoft quickly fix the issue that could effectively lead to the breach of multiple customers’ networks and services? Of course not. They took more than 90 days to implement a partial fix – and only for new applications loaded in the service.

Yoran then details the implications of Microsoft’s failure to address the problem:

That means that as of today, the bank I referenced above is still vulnerable, more than 120 days since we reported the issue, as are all of the other organizations that had launched the service prior to the fix. And, to the best of our knowledge, they still have no idea they are at risk and therefore can’t make an informed decision about compensating controls and other risk mitigating actions. Microsoft claims that they will fix the issue by the end of September, four months after we notified them. That’s grossly irresponsible, if not blatantly negligent. We know about the issue, Microsoft knows about the issue, and hopefully threat actors don’t.

In one of his most damning statements, Yoran cites Google Project Zero’s research showing that “Microsoft products have accounted for an aggregate 42.5% of all zero days discovered since 2014.”

Microsoft has faced growing scrutiny over its security practices, with Senator Ron Wyden writing a letter last week to the DOJ, CISA, and the FTC asking the agencies to “hold Microsoft responsible for its negligent cybersecurity practices, which enabled a successful Chinese espionage campaign against the United States government.”

Microsoft may be the second-largest cloud provider, nipping at the heels of AWS. If the company can’t get its act together when it comes to security, it may soon find itself losing ground in the cloud wars.