ZDI Shames MS For Yet Another Coordinated Vuln Disclosure Snafu

Exclusive A Microsoft zero-day vulnerability that Trend Micro’s Zero Day Initiative team claims it found and reported to Redmond in May was disclosed and patched by the Windows giant in July’s Patch Tuesday – but without any credit given to ZDI.

The flaw, tracked as CVE-2024-38112, is in MSHTML aka Trident aka Microsoft’s proprietary browser engine for Internet Explorer. Redmond called it a spoofing vulnerability, noted that it was being exploited in the wild, and assigned it a 7.5-out-of-10 CVSS severity score.

ZDI, meanwhile, contends that it’s a remote code execution flaw, which would likely garner a more critical rating.

“They’re saying what we reported was a defense-in-depth fix only, but they won’t tell us what that defense-in-depth fix really is,” Dustin Childs, head of threat awareness at ZDI, told The Register in an exclusive interview.

We have asked Microsoft for comment, and will update this story if and when we hear back.

This entire series of unfortunate events not only highlights problems with Microsoft’s bug reporting program, but also the coordinated vulnerability disclosure process in general, according to Childs.

Even up until Friday afternoon, he lamented, “there are [Trend Micro] people on the phone with Microsoft right now, as we’re having this conversation, still talking with Microsoft trying to figure out what’s going on.”

“I hate to say this,” he continued, “but it seems like they really don’t have a full grasp of what’s going on with this patch.”

Vendors want the researchers to coordinate with them up front, but once they get the bugs, they stop coordinating with the researchers

In Childs’s telling, ZDI spotted the vulnerability and reported it to Microsoft in mid-May. And then the team heard nothing until seeing the software update on Tuesday.

“It’s a pretty nifty exploit,” Childs told The Register. “These threat actors found a way to resurrect a zombie Internet Explorer. They were able to get Internet Explorer to then go out and download an info-stealer, and really they’re looking for cryptocurrency wallets.”  

Microsoft ostensibly disabled Internet Explorer back in June 2022, and the now-dead browser no longer receives security fixes. Fast forward to 2024, and miscreants are reviving that defunct browser and exploiting it to take over modern Windows systems.

Trend Micro dubbed the miscreants were exploiting CVE-2024-38112 in the wild as Void Banshee. They are a newish nation-state-level cyber-crime crew, and Trend hasn’t yet linked the gang to a particular region. 

According to a technical analysis of the exploitation of the MSHTML bug, published by Trend’s Peter Girnus and Aliakbar Zahravi, Void Banshee abused the flaw to target organizations in North America, Europe, and Southeast Asia, to run Atlantida info-stealer malware on people’s Windows PCs.

If we had to bet on who is behind Void Banshee – given the ultimate goal seems to be stealing cryptocurrency – we’d put our money on North Korea.

Credit where credit is due?

“So we had reported it to Microsoft, and as of Monday” – the day prior to July’s Patch Tuesday – “it was still listed as in development with the MSRC,” Childs said. This, he added, led ZDI to believe that Redmond wouldn’t patch the flaw until August. Trend customers, he noted, have been protected since June.

“Much to our surprise, it was released with this month’s Patch Tuesday release, which was very interesting because we weren’t credited at all in the advisory,” Childs noted.

Microsoft credited Check Point Research’s Haifei Li with finding and disclosing the bug. We should note it’s not uncommon for more than one security team to uncover and report the same hole in a product – especially one that is under active exploitation.

In its report about the Internet Explorer MSHTML bug, Check Point warned criminals had been abusing the flaw for at least a year.

Basically, marks are tricked into opening a malicious shortcut file – which could be stashed in a .zip archive from a dodgy download website – that activates the Windows PC’s dormant Internet Explorer, and exploits it to compromise the computer, allowing sensitive and valuable information to be stolen from the victim by malware. That malicious software is introduced post-exploitation as a poisoned HTML application that brings in more bad code to run via VBScript. Patching prevents this from happening.

Even Li seemed surprised by Microsoft’s July update.

“This is not the first time Microsoft Security Response Center telling us they’re going to patch the issue in month X but released the patch earlier without notifying us,” he Xeeted on Patch Tuesday. “Coordinated disclosure can’t be just one-side coordination.”

That’s the real problem here, Childs opined. “Vendors want the researchers to coordinate with them up front – but once they get the bugs, they stop coordinating with the researchers, despite what they’ve publicly said, and researchers are left in a lurch.”

“We don’t know what’s going on. We don’t know what’s coming. We’re often not credited properly. They spell our names wrong, and we’re giving them bugs for free.”

When asked if this is an industry-wide issue or just a Microsoft problem, Childs simply answered: “Yes.”

Microsoft: Not the only bad guy

Though ZDI and others have raised this issue specifically to Microsoft in the past, it’s not limited to Redmond. Phoenix Contact, Autodesk AutoCAD, and Ivanti are “guilty as well,” Childs said, noting that Ivanti “has vastly improved.”

Previously, ZDI reported 18 bugs to French software giant Dassault Systèmes, and the multiple flaws were only given one vulnerability tracker: CVE-2024-1847. 

In a similar case, Delta Electronics assigned one CVE to 17 bug submissions – an issue that Trend covered at Black Hat in 2022. 

More recently, Rapid7 shamed JetBrains for its “uncoordinated vulnerability disclosure” of the TeamCity flaws, and QNAP came under fire for downplaying the severity of a couple of bugs – including one zero-day.

“It’s creating a situation where it’s really pushing researchers away from reporting to vendors, which is going to be very problematic in the near future,” Childs warned. 

If bug hunters don’t report exploits to affected developers, and if those suppliers don’t accurately disclose the severity and scope of vulnerabilities in their products, customers will end up feeling the pain.

“It’s the end users who are going to end up suffering for this,” Childs opined. “If they’re not able to accurately judge the risk to their systems, they might not be able to roll out patches in the appropriate time frame.”

This, of course, is an industry-wide problem that many – including the US government – are working to solve, but it’s not going to be an easy fix. Trend, for its part, will launch what it’s calling the Vanguard Awards at this year’s Black Hat conference in Vegas to highlight researchers and vendors who are winning at vulnerability disclosure and transparent communication.

“There won’t be a ‘failure’ category, because we’d rather reward outstanding work rather than highlight mistakes or miscalculations,” Childs wrote in a blog today about the recent Microsoft CVD snafu.

Still, Childs acknowledges that it’s going to take more than awards to fix the broken system.

“There’s nothing really that’s working right now to incentivize vendors to be better at disclosure,” he said. “This is a microcosm of it, but it is an industry problem.” ®

Updated to add at 2030 UTC

Microsoft says it has now credited ZDI and Trend albeit as a “defense-in-depth” hat-tip here with no link to the MSHTML CVE. Indeed, on the main advisory page for CVE-2024-38112, Check Point is still listed as the sole discover of the bug, according to Redmond.

“The report from ZDI did not meet the bar for a CVE,” the Microsoft spokesperson told us today. “However, a similar report from CheckPoint was issued a CVE and the update addressed both issues.

“We have since updated our documentation to more accurately reflect the vulnerability that was addressed. We have discussed the issue with both ZDI and Checkpoint and are always looking for ways to improve our communication and support for researchers.”

Check Point’s Li also says CVE-2024-38112 seems to have resulted in two patches from Microsoft.

READ MORE HERE