Security News > 2024 > July > ZDI shames Microsoft for – yet another – coordinated vulnerability disclosure snafu

Exclusive A Microsoft zero-day exploit that Trend Micro's Zero Day Initiative team claims it found and reported to Redmond in May was disclosed and patched by the Windows giant in July's Patch Tuesday - but without any credit given to ZDI. The flaw, tracked as CVE-2024-38112, is in MSHTML - Microsoft's proprietary browser engine for Internet Explorer.

This entire series of unfortunate events not only highlights problems with Microsoft's bug reporting program, but also the coordinated vulnerability disclosure process in general, according to Childs.

Even up until Friday afternoon, he lamented, "There are people on the phone with Microsoft right now, as we're having this conversation, still talking with Microsoft trying to figure out what's going on."

In Childs's telling, ZDI detected the vulnerability and reported it to Microsoft in mid-May. And then the team heard nothing until seeing the software update on Tuesday.

ZDI and others have raised this issue specifically to Microsoft in the past, but it's not limited to Redmond.

"There won't be a 'failure' category, because we'd rather reward outstanding work rather than highlight mistakes or miscalculations," Childs wrote in a blog today about the recent Microsoft CVD snafu.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/07/15/zdi_microsoft_vulnerability/