Microsoft has been chastised by Trend Micro's Zero Day Initiative team for failing to recognize the team's efforts in identifying the zero-day MSHTML vulnerability, tracked as CVE-2024-38112, as well as downplaying the severity of the issue, which has been addressed as part of this month's Patch Tuesday, reports The Register.While Microsoft dubbed the flaw as a high-severity spoofing bug, such an issue was disclosed by ZDI to be a remote code execution vulnerability that requires a higher severity rating. ZDI Head of Threat Awareness Dustin Childs said that CVE-2024-38112, which was reported to Microsoft in mid-May, only needed a defense-in-depth fix but details regarding such a remediation effort were not detailed. "Vendors want the researchers to coordinate with them up front – but once they get the bugs, they stop coordinating with the researchers, despite what they've publicly said, and researchers are left in a lurch," said Childs, who also noted similar vulnerability disclosure issues in other vendors, including Ivanti, Phoenix Contact, and Autodesk AutoCAD.
Vulnerability Management, Patch/Configuration Management
Microsoft slammed for improperly crediting MSHTML bug

(Adobe Stock)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



