July 15, 2024 at 11:10AM
Microsoft released a patch to fix a zero-day exploit, CVE-2024-38112, in its proprietary browser engine for Internet Explorer, without crediting Trend Micro’s Zero Day Initiative (ZDI) which had reported the vulnerability to Redmond in May. ZDI contends that the flaw is a critical remote code execution issue, while Microsoft deems it a spoofing vulnerability. This incident underscores problems in Microsoft’s bug reporting program and the coordinated vulnerability disclosure process. Trend is advocating for better transparency and communication among researchers and vendors to protect end users from potential security risks.
From the provided meeting notes, it is clear that there was an issue with the handling of a zero-day exploit in Microsoft’s proprietary browser engine, MSHTML (aka Trident), which was reported by Trend Micro’s Zero Day Initiative team. The team believes that the exploit was not credited properly and that Microsoft did not coordinate effectively with them during the disclosure process.
It appears that there is a broader industry-wide challenge with vendors not effectively coordinating with researchers once bugs are reported. This lack of coordination can lead to delays in patch releases and potentially inadequate communication about the severity of vulnerabilities to end users.
The meeting notes also mention that Trend Micro plans to launch the Vanguard Awards to recognize researchers and vendors who excel in vulnerability disclosure and transparent communication. This initiative aims to incentivize vendors to improve their disclosure practices.
Overall, the meeting notes highlight the need for improved coordination and transparency in vulnerability disclosure processes, and the industry as a whole is working to address these challenges.