Anti-security

Hey, William in New York here. Microsoft just fixed some critical security flaws in a key product. But first…Today’s top tech news: Apple is [View in browser]( [Bloomberg]( Hey, William in New York here. Microsoft just fixed some critical security flaws in a key product. But first… Today’s top tech news: - Apple is the [first streaming service]( to win best picture at the Oscars - Sony is [preparing to introduce]( a PlayStation subscription service as soon as this week - The head of Amazon Game Studios [is out]( Microsoft’s big fixes What happens when security software is actually the weak point in your security? Last year, security researchers discovered five critical software vulnerabilities in a Microsoft Corp. product that’s designed to protect the networks of internet of things devices and industrial control systems, according to a forthcoming report provided exclusively to Bloomberg News. The issues, uncovered by the cyber firm SentinelOne, were rated as “extremely” severe, and one would have enabled hackers to compromise technology protected by Microsoft’s Defender for IoT by exploiting a flaw in a password recovery tool. Six months after SentinelOne reported the flaws found in Microsoft’s Defender for IoT, Redmond released a fix with little fanfare. While there’s no evidence that attackers leveraged the vulnerability for their own gain, Microsoft Defender is supposed to add a layer of security, not provide new pathways for hackers to exploit systems. The SentinelOne report, authored by Kasif Dekel and Ronen Shustin, said the discovery “raises serious questions about the security of security products themselves and their overall effect on the security posture of vulnerable sectors.” The Microsoft Defender product requires deep access to a customer’s network in order to perform its security function. That same access is a potential goldmine who can figure out how to turn the security product against itself, as Juan Andrés Guerrero-Saade, a researcher at SentinelOne who studies nation-state hacking, told me recently. “Sadly, I think what we found speaks to the quality of cybersecurity products in general,” he said. “I think this is a bit more disturbing, because of the type of products that Defender for IoT is protecting.” Word of the discovery also coincides with [repeated warnings]( from U.S. national security officials, and President Joe Biden himself, to American companies to upgrade their technology and to the on the lookout for potential state-sponsored Russian hacking. That’s just one threat: Last week [we revealed]( that the Lapsus$ extortion gang, which has compromised some of the biggest U.S. tech companies, including Microsoft, is thought to be the brainchild of a 16-year-old living with his parents in the U.K. When asked about the issues that SentinelOne discovered, a Microsoft spokesperson said the company follows recognized vulnerability disclosure practices, and that the company works with partners to resolve any issues in its products. “We addressed the specific issues mentioned and we appreciate the finder working with us to ensure customers remain safe,” the spokesperson said. But Russian hackers and British teenagers are only the obvious security concerns at the current moment. SentinelOne researchers noted that the Defender product contains code from CyberX, a firm that Microsoft acquired in 2020. As mergers and acquisitions continue in the cybersecurity industry, there’s a risk that problems in one security product will spread to another. And it can sometimes take years to reconcile the outdated or faulty code from acquired software.  Guerrero-Saade urged cyber customers to use the current moment to press their suppliers to ensure that their technology is as robust as possible. “It's not an enviable task to try to secure a large code base,” Guerrero-Saade said. “That said, we trust big companies that have been doing this for a long time to do so. And if we can't trust them, then who?” —[William Turton](mailto:wturton1@bloomberg.net) If you read one thing Russian cybersecurity vendor Kaspersky and two Chinese firms were [added to a list]( of companies deemed a threat to U.S. national security, part of a Federal Communications Commission strategy to mitigate risks from some foreign-built technologies. Once a company is on the list, federal subsidies can’t be used to purchase its equipment or services. What else you need to know Apple urged a federal appeals court [to uphold]( a ruling that largely vindicated its business model, which charges commissions on developers. Tech giants avoided a regulatory [doomsday scenario]( in Europe. Indonesian startup giant GoToGroup [raised about]( $1.1 billion in its initial public offering. Qatar’s $450 billion wealth fund is [betting on]( startups. What to watch: The founder of Ursa Major talks about what the war in Ukraine means for [defense technology](. Follow Us More from Bloomberg Dig gadgets or video games? [Sign up for Power On]( to get Apple scoops, consumer tech news and more in your inbox on Sundays. [Sign up for Game On]( to go deep inside the video game business, delivered on Fridays. Why not try both? Like Fully Charged? | [Get unlimited access to Bloomberg.com](, where you'll find trusted, data-based journalism in 120 countries around the world and expert analysis from exclusive daily newsletters. You received this message because you are subscribed to Bloomberg's Fully Charged newsletter. If a friend forwarded you this message, [sign up here]( to get it in your inbox. [Unsubscribe]( [Bloomberg.com]( [Contact Us]( Bloomberg L.P. 731 Lexington Avenue, New York, NY 10022 [Ads Powered By Liveintent]( [Ad Choices](