Microsoft is facing criticism from security researchers over its handling of a recently patched zero-day vulnerability. The controversy centers around CVE-2024-38112, a flaw in the MSHTML (Trident) rendering engine that was actively exploited by threat actors before being patched in July 2024’s Patch Tuesday update.
Trend Micro’s Zero Day Initiative (ZDI)
Trend Micro’s Zero Day Initiative (ZDI) has publicly accused Microsoft of failing to properly credit them for reporting the vulnerability. According to ZDI, they discovered and reported the flaw to Microsoft in mid-May 2024, but the tech giant patched it in July without acknowledging ZDI’s contribution.
Dustin Childs, head of threat awareness at ZDI, expressed frustration with Microsoft’s response in an exclusive interview with The Register. “They’re saying what we reported was a defense-in-depth fix only, but they won’t tell us what that defense-in-depth fix really is,” Childs stated.
The vulnerability, which Microsoft classified as a spoofing issue with a CVSS score of 7.5, is believed by ZDI to be a more severe remote code execution flaw. This discrepancy in severity assessment has further fueled the controversy.
CVE-2024-38112
Trend Micro researchers Peter Girnus and Aliakbar Zahravi published a technical analysis of the exploit, revealing that a nation-state affiliated cybercrime group dubbed “Void Banshee” had been actively exploiting CVE-2024-38112 in the wild. The attackers used the vulnerability to target organizations in North America, Europe, and Southeast Asia, deploying the Atlantida stealer malware.
The exploit chain is particularly noteworthy as it managed to “resurrect” the deprecated Internet Explorer browser to download and execute malicious payloads. “These threat actors found a way to resurrect a zombie Internet Explorer. They were able to get Internet Explorer to then go out and download a stealer, and really they’re looking for cryptocurrency wallets,” Childs explained.
Microsoft’s July Patch Tuesday addressed a total of 138 CVEs, including five critical vulnerabilities and three zero-days. CVE-2024-38112 was one of two zero-days confirmed to be exploited in the wild, alongside CVE-2024-38080, a Windows Hyper-V elevation of privilege vulnerability.
This incident has reignited discussions about the broader issues surrounding coordinated vulnerability disclosure processes in the cybersecurity industry. Childs warned that such practices could discourage researchers from reporting vulnerabilities to vendors: “It’s creating a situation where it’s really pushing researchers away from reporting to vendors, which is going to be very problematic in the near future.”
Microsoft has yet to comment on the situation
The controversy underscores the ongoing challenges in balancing timely security patches with proper attribution and communication between security researchers and software vendors. As the cybersecurity landscape continues to evolve, incidents like this highlight the need for improved collaboration and transparency in vulnerability reporting and patching processes.
Microsoft has not yet publicly responded to ZDI’s accusations. The tech community awaits further clarification from the company regarding its handling of CVE-2024-38112 and its broader approach to coordinated vulnerability disclosure. Stay tuned.
Related Posts
- Microsoft commemorates D-Day with “The Thread of Memory” exhibit commemorating Normandy 1944 with powerful AI technology
- Microsoft under fresh antitrust scrutiny over Inflection AI Deal and overall AI market dominance
- Microsoft makes risky $3.2 billion bet on Swedish AI and Cloud infrastructure: a huge investment for the Nordic region
- Microsoft addresses two zero-day vulnerabilities, including 61 security issues in May 2024 security updates
- Spanish Startup Association says Microsoft has a massive cloud market monopoly, that violates EU antitrust laws
Discover more from Microsoft News Now
Subscribe to get the latest posts sent to your email.
