Facepalm: While Microsoft focuses on fixing its weak security practices, critical bugs in its many services and products keep popping up. A researcher discovered a dangerous flaw in Outlook months ago, but Microsoft waited until now to respond and attempt to fix it.
SolidLab security researcher Vsevolod Kokorin discovered a vulnerability that allowed him to impersonate any Outlook account, sending potentially malicious emails from apparently legitimate users. Kokorin demonstrated the critical bug by spoofing Microsoft’s security team, but Redmond’s response wasn’t exactly what he expected.
SolidLab discovered the flaw months ago and alerted Microsoft immediately. The company said it couldn’t reproduce the issue, so Kokorin sent a video showing his successful exploitation with a “full” proof-of-concept (PoC).
The impersonation PoC exploit only works when sending mails to an Outlook account, which is still one of the most popular email services with 400 million users worldwide. Microsoft could not reproduce the bug, so the company closed the issue.
I want to share my recent case:
> I found a vulnerability that allows sending a message from any user@domain
> We cannot reproduce it
> I send a video with the exploitation, a full PoC
> We cannot reproduce it
At this point, I decided to stop the communication with Microsoft. pic.twitter.com/mJDoHTn9Xv– slonser (@slonser_) June 14, 2024
Kokorin vented his frustration by ranting on X and privately sharing the technical details of the bug with TechCrunch. He did not expect a mob to form that was angry at him. Many “misunderstood” his intentions and accused him of leveraging public attention for monetary gain. Kokorin said all he wanted was to force giant corporations like Microsoft to stop ignoring researchers and be less dismissive when alerted to potentially damaging bugs in their software.
“I did not expect my post to get such a reaction. Honestly, I just wanted to share my frustration because this situation made me sad,” Kokorin told TechCrunch. “Many people misunderstood me and think that I want money or something like that. In reality, I just want companies not to ignore researchers and to be more friendly when you try to help them.”
Surprisingly, the faux-X-rage about the Outlook bug did what Kokorin had hoped. Microsoft reopened the issue. Redmond likely noticed Kokorin’s post and revisited the reports he submitted. The Outlook email bug is still open at the time of writing.
Microsoft CEO Satya Nadella recently expressed dissatisfaction regarding the company’s practices in dealing with security bugs. Nadella sent an internal memo explaining that Microsoft should now prioritize security above everything else in a company-wide push involving all teams and projects. The US Cyber Safety Review Board also labeled Microsoft’s practices as “inadequate” after investigating major security incidents involving Windows and other products.