Microsoft faces backlash from Zero Day Initiative (ZDI) and security researchers over lack of transparency in vulnerability disclosure especially during its last week’s Patch Tuesday. The recent mishandling of CVE-2024-38112 highlights industry concerns about rushed patching, improper crediting, and the impact on user security.
Security researchers and Zero Day Initiative (ZDI) have expressed frustration with the lack of transparency and communication from vendors regarding coordinated vulnerability disclosure (CVD). A recent incident involving Microsoft exemplifies the issues plaguing the system.
Trend Micro’s ZDI reported a critical vulnerability (CVE-2024-38112) to Microsoft in May, only to see it addressed in last week’s Patch Tuesday with no acknowledgement from the vendor for ZDI. This lack of communication is not an isolated event, researchers report.
Another researcher, Haifei Li of Check Point, who also independently discovered the same vulnerability, went unacknowledged, further highlighting the lack of communication from Microsoft. Li criticized Microsoft in a post, stating that coordinated disclosures cannot be “one-sided” coordination.
Kẻ soi mói, a researcher from Dataflow Security, in a series of Tweets, revealed that he had reported similar vulnerabilities in SharePoint that remain unaddressed despite Microsoft patching unrelated bugs.
Valentina Palmiotti of IBM X-Force discovered a critical exploit, which was “a winning entry at Pwn2Own this year,” but expressed dismay over receiving a questionable CVSS rating when the patch was released despite handing over Microsoft a workable exploit.
Researchers argue that CVD is not working as intended. Vendors are requesting detailed vulnerability reports but failing to reciprocate with timely communication, proper crediting, and clear explanations for decisions regarding patch urgency and severity ratings.
For instance, a RADIUS vulnerability rated as CVSS 7.5 by Microsoft was rated 9.0 by the researcher who discovered it, causing a significant difference in the speed of patch deployment.
Microsoft launched its Secure Future Initiative (SFI) in 2023, aiming to create a new era of security and transparency. However, this has not been achieved. The lack of coordination between vendors and researchers ultimately hurts end users as they struggle to assess risk and may delay patching critical vulnerabilities. Additionally, disagreements over severity ratings can lead to delayed deployments, leaving users exposed for longer periods.
As per the latest update, Microsoft has credited ZDI and Trend as a “defence-in-depth” hat-tip, claiming that ZDI’s report did not meet the CVE criteria, but a similar report from CheckPoint was issued a CVE, and the update addressed both issues. CheckPoint’s Li states that CVE-2024-38112 has resulted in two Microsoft patches.
The lack of transparency in CVD is a complex issue with significant consequences for user security. Increased government oversight and industry initiatives may provide the necessary push for positive change.
The ZDI will launch the Vanguard Awards at Black Hat to recognize exemplary practices in vulnerability disclosure with categories like “Most Transparent Communication” and “Fastest to Patch,” aiming to incentivize vendors to improve their CVD processes.