Friday, November 22, 2024

ZDI shames Microsoft for coordinated vuln disclosure snafu

Must read

Exclusive A Microsoft zero-day exploit that Trend Micro’s Zero Day Initiative team claims it found and reported to Redmond in May was disclosed and patched by the Windows giant in July’s Patch Tuesday – but without any credit given to ZDI.

The flaw, tracked as CVE-2024-38112, is in MSHTML (aka Trident) – Microsoft’s proprietary browser engine for Internet Explorer. Redmond called it a spoofing vulnerability, and assigned it a 7.5 CVSS severity score. ZDI, meanwhile, contends that it’s a remote code execution flaw, which would likely garner a more critical rating.

“They’re saying what we reported was a defense-in-depth fix only, but they won’t tell us what that defense-in-depth fix really is,” Dustin Childs, head of threat awareness at ZDI, told The Register in an exclusive interview.

We have asked Microsoft for comment, and will update this story if and when we hear back.

This entire series of unfortunate events not only highlights problems with Microsoft’s bug reporting program, but also the coordinated vulnerability disclosure process in general, according to Childs.

Even up until Friday afternoon, he lamented, “there are [Trend Micro] people on the phone with Microsoft right now, as we’re having this conversation, still talking with Microsoft trying to figure out what’s going on.”

“I hate to say this,” he continued, “but it seems like they really don’t have a full grasp of what’s going on with this patch.”

Vendors want the researchers to coordinate with them up front, but once they get the bugs, they stop coordinating with the researchers

In Childs’s telling, ZDI detected the vulnerability and reported it to Microsoft in mid-May. And then the team heard nothing until seeing the software update on Tuesday.

“It’s a pretty nifty exploit,” Childs told The Register. “These threat actors found a way to resurrect a zombie Internet Explorer. They were able to get Internet Explorer to then go out and download a stealer, and really they’re looking for cryptocurrency wallets.”  

Microsoft disabled Internet Explorer back in June 2022, and the now-dead browser no longer receives security fixes. 

Trend Micro dubbed the miscreants who were exploiting CVE-2024-38112 as Void Banshee. They are a newish nation-state cyber crime crew, and Trend hasn’t yet linked the gang to a particular region. 

According to a technical analysis of the attack chain published by Trend’s Peter Girnus and Aliakbar Zahravi, Void Banshee abused the flaw to target organizations in North America, Europe, and Southeast Asia and deploy Atlantida stealer malware.

If we had to bet on who is behind Void Banshee – given the ultimate goal seems to be stealing cryptocurrency – we’d put our money on North Korea.

Credit where credit is due?

“So we had reported it to Microsoft, and as of Monday” – the day prior to July’s Patch Tuesday – “it was still listed as in development with the MSRC,” Childs said. This, he added, led ZDI to believe that Redmond wouldn’t patch the flaw until August. Trend customers, he noted, have been protected since June.

“Much to our surprise, it was released with this month’s Patch Tuesday release, which was very interesting because we weren’t credited at all in the advisory,” Childs noted.

Microsoft credited Check Point Research’s Haifei Li with finding and disclosing the bug. We should note it’s not uncommon for more than one security team to uncover and report the same hole in a product – especially one that is under active exploitation. In its report about the Internet Explorer bug, Check Point warned criminals had been abusing the flaw for at least a year.

Even Li, however, seemed surprised by Microsoft’s July patch.

“This is not the first time @msftsecresponse telling us they’re going to patch the issue in month X but released the patch earlier without notifying us,” he Xeeted on Patch Tuesday. “Coordinated disclosure can’t be just one-side coordination.”

That’s the real problem here, Childs opined. “Vendors want the researchers to coordinate with them up front – but once they get the bugs, they stop coordinating with the researchers, despite what they’ve publicly said, and researchers are left in a lurch.”

“We don’t know what’s going on. We don’t know what’s coming. We’re often not credited properly. They spell our names wrong, and we’re giving them bugs for free.”

When asked if this is an industry-wide issue or just a Microsoft problem, Childs simply answered: “Yes.”

Microsoft: not the only bad guy

ZDI and others have raised this issue specifically to Microsoft in the past, but it’s not limited to Redmond. Phoenix Contact, Autodesk AutoCAD and Ivanti are “guilty as well,” Childs said, noting that Ivanti “has vastly improved.”

Previously, ZDI reported 18 bugs to French software giant Dassault Systèmes, and the multiple flaws were only given one vulnerability tracker: CVE-2024-1847

In a similar case, Delta Electronics assigned one CVE to 17 bug submissions – an issue that Trend covered at Black Hat in 2022. 

More recently, Rapid7 shamed JetBrains for its “uncoordinated vulnerability disclosure” of the TeamCity flaws, and QNAP came under fire for downplaying the severity of a couple of bugs – including one zero-day.

“It’s creating a situation where it’s really pushing researchers away from reporting to vendors, which is going to be very problematic in the near future,” Childs warned. 

If bug hunters don’t report exploits to affected vendors, and if vendors don’t accurately disclose the severity and scope of vulnerabilities in their products, customers will end up feeling the pain.

“It’s the end users who are going to end up suffering for this,” Childs opined. “If they’re not able to accurately judge the risk to their systems, they might not be able to roll out patches in the appropriate time frame.”

This, of course, is an industry-wide problem that many – including the US government – are working to solve, but it’s not going to be an easy fix. Trend, for its part, will launch what it’s calling the Vanguard Awards at this year’s Black Hat to highlight researchers and vendors who are winning at vulnerability disclosure and transparent communication.

“There won’t be a ‘failure’ category, because we’d rather reward outstanding work rather than highlight mistakes or miscalculations,” Childs wrote in a blog today about the recent Microsoft CVD snafu.

Still, Childs acknowledges that it’s going to take more than awards to fix the broken system.

“There’s nothing really that’s working right now to incentivize vendors to be better at disclosure,” he said. “This is a microcosm of it, but it is an industry problem.” ®

Latest article