Exclusive A Microsoft zero-day vulnerability that Trend Micro’s Zero Day Initiative team claims to have found and reported to Redmond in May was disclosed and patched by the Windows giant in July’s Patch Tuesday — but without any credit given to ZDI.
The flaw, tracked as CVE-2024-38112, is in MSHTML, aka Trident, Microsoft’s proprietary browser engine for Internet Explorer. Redmond called it a spoofing vulnerability, noted that it was being exploited in the wild, and gave it a CVSS severity score of 7.5 out of 10.
ZDI, meanwhile, maintains that it is a remote code execution flaw, which would probably deserve a more critical rating.
“They say what we reported was just a defense-in-depth patch, but they won’t tell us what that defense-in-depth patch actually is,” said Dustin Childs, ZDI’s threat awareness manager. The register in an exclusive interview.
We’ve asked Microsoft for comment and will update this article if and when we hear back.
This series of unfortunate events not only highlights the problems with Microsoft’s bug reporting program, but also the coordinated vulnerability disclosure process in general, according to Childs.
As of Friday afternoon, he lamented, “there are people (from Trend Micro) on the phone with Microsoft right now, as we’re having this conversation, still talking to Microsoft to try to understand what’s going on.”
“I hate to say it,” he continued, “but it seems like they don’t really have a clear idea of what’s going on with this patch.”
Vendors want researchers to coordinate with them up front, but once they find bugs, they stop coordinating with researchers.
According to Childs, ZDI spotted the vulnerability and reported it to Microsoft in mid-May. The team then heard nothing back until the software update was released on Tuesday.
“It’s a pretty nifty feat,” Childs said. The register“These malicious actors have found a way to resurrect a zombie Internet Explorer. They have managed to trick Internet Explorer into downloading an information stealer, and in reality, they are looking for cryptocurrency wallets.”
In June 2022, Microsoft disabled Internet Explorer, and the now-dead browser no longer receives security patches. In 2024, malicious actors revive this disabled browser and exploit it to take control of modern Windows systems.
Trend Micro has dubbed the criminals exploiting CVE-2024-38112 in the wild as Void Banshee. This is a new nation-state cybercriminal team, and Trend has not yet linked the gang to any particular region.
According to a technical analysis of the MSHTML bug exploit, published by Peter Girnus and Aliakbar Zahravi of Trend, Void Banshee abused the flaw to target organizations in North America, Europe, and Southeast Asia to execute the Atlantida information-stealing malware on users’ Windows PCs.
If we had to bet on who is behind Void Banshee – given that the ultimate goal appears to be cryptocurrency theft – we would bet on North Korea.
Should we give Caesar what belongs to Caesar?
“So we reported the issue to Microsoft, and as of Monday, the day before July Patch Tuesday, it was still listed as being in development by the MSRC,” Childs said. That led ZDI to believe Redmond wouldn’t patch the flaw until August. Trend customers, he noted, have been protected since June.
“Much to our surprise, this feature was released with this month’s Patch Tuesday release, which was very interesting because we weren’t credited at all in the advisory,” Childs noted.
Microsoft credited Haifei Li of Check Point Research with discovering and disclosing the bug. It should be noted that it is not uncommon for multiple security teams to discover and report the same flaw in a product, especially when it is actively being exploited.
In its report on the Internet Explorer bug, Check Point warned that criminals have been exploiting the flaw for at least a year.
Basically, brands are tricked into opening a malicious shortcut file (which can be stored in a .zip archive from a dubious download site) that activates the Windows PC’s inactive Internet Explorer and exploits it to compromise the computer, allowing malware to steal sensitive and valuable information from the victim. This malware is introduced after exploitation in the form of a poisoned HTML application that introduces more malicious code to be executed via VBScript. Patching prevents this from happening.
Even Li seemed surprised by Microsoft’s July update.
“This is not the first time that Microsoft’s Security Response Center has told us they’re going to fix the issue in month X, but then released the patch early without telling us,” he said on Patch Tuesday. “A coordinated disclosure cannot be a simple one-way coordination.”
That’s the real problem, Childs said. “Vendors want researchers to coordinate with them up front, but once they find bugs, they stop coordinating with researchers, despite what they’ve said publicly, and researchers are left in a difficult situation.”
“We don’t know what’s going on. We don’t know what’s going to happen. Often, we’re not credited correctly. They spell our names wrong and we give them bugs for free.”
When asked if this was an industry-wide problem or just Microsoft, Childs simply said, “Yes.”
Microsoft: It’s not the only bad guy
While ZDI and others have raised this issue specifically with Microsoft in the past, it’s not limited to Redmond. Phoenix Contact, Autodesk AutoCAD and Ivanti are “also guilty,” Childs said, noting that Ivanti “has improved dramatically.”
Previously, ZDI had reported 18 bugs to French software giant Dassault Systèmes, and the multiple flaws had only received one vulnerability tracker: CVE-2024-1847.
In a similar case, Delta Electronics assigned a CVE to 17 bug submissions – an issue Trend covered during Black Hat 2022.
More recently, Rapid7 shamed JetBrains for its “uncoordinated vulnerability disclosure” of TeamCity flaws, and QNAP was criticized for downplaying the severity of a few bugs, including a zero-day.
“This creates a situation where researchers are really being pushed away from accountability to vendors, which is going to be very problematic in the near future,” Childs warned.
If bug hunters fail to report exploits to affected developers, and if these vendors fail to accurately disclose the severity and scope of vulnerabilities in their products, customers will eventually suffer the consequences.
“It’s the end users who are going to suffer,” Childs said. “If they can’t accurately assess the risks to their systems, they may not be able to deploy patches in a timely manner.”
Big Tech’s response to my LLM bug report was disastrous
READ NEXT
This is, of course, an industry-wide problem that many players—including the U.S. government—are working to solve, but the solution won’t be simple. Trend, for its part, will launch what it calls the Vanguard Awards at this year’s Black Hat conference in Las Vegas to highlight researchers and vendors that are succeeding in vulnerability disclosure and transparent communication.
“There will be no ‘fail’ category, because we prefer to reward exceptional work rather than highlight errors or miscalculations,” Childs wrote in a blog post today about Microsoft’s recent CVD issue.
Still, Childs acknowledges that it will take more than rewards to fix the broken system.
“There are currently no effective measures to incentivize suppliers to communicate their information better,” he said. “It’s a microcosm, but it’s an industry problem.” ®
Updated to add at 20:30 UTC
Microsoft said it has now credited ZDI and Trend, although this is a “defense in depth” warning unrelated to the MSHTML CVE. Indeed, on the main warning page for CVE-2024-38112, Check Point is still listed as the only one to have discovered the bug, according to Redmond.
“The ZDI report does not meet the criteria for a CVE,” a Microsoft spokesperson told us today. “However, a similar report from CheckPoint was published as a CVE and the update addressed both issues.”
“We have since updated our documentation to more accurately reflect the vulnerability that was fixed. We have discussed the issue with ZDI and Checkpoint and are always looking for ways to improve our communication and support for researchers.”