Microsoft Issues CVE Numbers for Cloud Service Vulnerabilities

In a move towards greater transparency and security, Microsoft has announced a new practice of assigning Common Vulnerabilities and Exposures (CVE) numbers for significant vulnerabilities found and fixed within their cloud services. This shift marks a departure from previous practices where vulnerabilities that could be addressed without user intervention were not always publicly disclosed.

The decision to issue CVE numbers for cloud service vulnerabilities, regardless of the need for customer action, reflects Microsoft’s growing emphasis on transparency as cloud services become increasingly integral to modern businesses and infrastructure. By publicly sharing information about vulnerabilities, even those that do not require customer patching or mitigation, Microsoft aims to foster a collaborative environment for learning and improvement across the company and its partners.

This increased transparency can lead to several benefits, including:

• Enhanced Security: Openly sharing vulnerability information allows Microsoft and its partners to identify patterns, strengthen defenses, and ultimately build more secure systems.
• Improved Resilience: By learning from past vulnerabilities, the industry as a whole can better anticipate and respond to future threats, ensuring the resilience of critical infrastructure.
• Greater Customer Confidence: Knowing that Microsoft is proactively identifying and addressing vulnerabilities, even those that don’t directly impact users, can instill greater trust and confidence in their cloud services.

“As our industry matures and increasingly migrates to cloud-based services, we must be transparent about significant cybersecurity vulnerabilities that are found and fixed,” stated Lisa Olson, Senior Program Manager at Microsoft. “By openly sharing information about vulnerabilities that are discovered and resolved, we enable Microsoft and our partners to learn and improve. This collaborative effort contributes to the safety and resilience of our critical infrastructure.”

As an example of this new practice, Microsoft recently published an advisory for CVE-2024-35260, a vulnerability affecting Microsoft Dataverse, which has since been resolved.

While this change does not necessitate any action from customers, it signifies a positive step towards a more transparent and secure cloud environment. Microsoft’s commitment to open communication about vulnerabilities demonstrates their dedication to continuous improvement and the security of its cloud services.