Microsoft has been chastised by Trend Micro's Zero Day Initiative team for failing to recognize the team's efforts in identifying the zero-day MSHTML vulnerability, tracked as CVE-2024-38112, as well as downplaying the severity of the issue, which has been addressed as part of this month's Patch Tuesday, reports The Register.
While Microsoft dubbed the flaw as a high-severity spoofing bug, such an issue was disclosed by ZDI to be a remote code execution vulnerability that requires a higher severity rating. ZDI Head of Threat Awareness Dustin Childs said that CVE-2024-38112, which was reported to Microsoft in mid-May, only needed a defense-in-depth fix but details regarding such a remediation effort were not detailed. "Vendors want the researchers to coordinate with them up front – but once they get the bugs, they stop coordinating with the researchers, despite what they've publicly said, and researchers are left in a lurch," said Childs, who also noted similar vulnerability disclosure issues in other vendors, including Ivanti, Phoenix Contact, and Autodesk AutoCAD.