Sign in / up

back to article ZDI shames Microsoft for – yet another – coordinated vulnerability disclosure snafu

A Microsoft zero-day vulnerability that Trend Micro's Zero Day Initiative team claims it found and reported to Redmond in May was disclosed and patched by the Windows giant in July's Patch Tuesday – but without any credit given to ZDI. The flaw, tracked as CVE-2024-38112, is in MSHTML aka Trident aka Microsoft's proprietary …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Ball boy Silver badge

    Microsoft disabled Internet Explorer back in June 2022, and the now-dead browser no longer receives security fixes.

    Then, a few paras later...

    Basically, marks are tricked into opening a malicious shortcut file [..] that activates the Windows PC's dormant Internet Explorer

    Seems to me the crux of the problem is this: Redmond's idea of 'disable' and most people's idea of 'disable' are at odds. Their version seems to be 'well, we took the icon away so people can't click it' - and left the codebase in there, complete with any attack surface it presents. Some might say that's the inevitable result of spending ten plus years embedding browser tech deeply into the underlying operating system, suggesting it's impossible to properly remove I.E. without breaking core OS functionality.

    22 0 Reply
    1. IGotOut Silver badge
      Reply Icon

      I can disable a car by pulling the HT leads off. If someone pops open the bonnet and sticks them back on in the correct order, then it can fire it up.

      I didn't lie saying I disabled it.

      5 7 Reply
      1. Bebu
        Reply Icon
        Windows

        I didn't lie saying I disabled it.

        《I can disable a car by pulling the HT leads off. If someone pops open the bonnet and sticks them back on in the correct order, then it can fire it up.》

        I would have nabbed the rotor arm when you weren't looking, to ensure you couldn't lie. ;)

        9 0 Reply
    2. david 12 Silver badge
      Reply Icon

      Redmond's idea of 'disable' a

      You've taken a word written by a Register journalist, and attributed it to Redmond.

      I was glad to see that the later part of the article delivered a more accurate description of the status of IE.

      Some might say that's the inevitable result of spending ten plus years embedding browser tech deeply into the underlying operating system

      30 minus years: Windows 95.

      suggesting it's impossible to properly remove I.E. without breaking core OS functionality.

      Well, that's been the subject of ongoing dispute: MS asserted that the Help System, HTML Application support, and the Desktop were "core" OS functionality: the competition asserted that anything not matched by Linux/BSD was not "core" OS functionality.

      4 0 Reply
      1. sgp
        Reply Icon

        I don't really get what you are trying to say. But having the web browser with the worst security reputation ever still in the codebase is just mindboggling. But sure, Microsoft doesn't care about Windows unless it's about whatever stupid fad is in swing (AR, AI,...). Removing all that exploitable code would be difficult because a lot of parts of Windows are probably still intertwined with it and it doesn't add anything to the bottom line. In a serious organization it would be done anyway but this is Microsoft so par for the course.

        7 0 Reply
    3. Anonymous Coward
      Reply Icon
      Anonymous Coward

      mshtml.dll

      It’s still used by many older apps (VB apps for example) and was used by Outlook as the email rendering engine up until … well, fairly recently, I think.

      So “resurrecting internet explorer” is probably a tad inaccurate, but “close enough”.

      0 0 Reply
  2. RedGreen925

    Shocked

    I truly am, those clowns at Microsoft have no clue how to classify a security vulnerability, with their stellar record over the last forty years or so with security who would ever have thunk it...

    3 0 Reply
  3. Furious Reg reader John

    Maybe it's just me, but

    when I read this, all I'm getting is a feeling that ZDI have a bruised ego that CheckPoint wrote up the flaw better than they did, and are whining about that.

    As for complaining that vendors sometimes patch things quicker than expected - WTF....

    ZDI need to grow up.

    4 6 Reply
  4. Anonymous Coward
    Anonymous Coward

    So IE is still win the build

    Win 11 is now 64GB install... Not surprising IE is still in there, I'm sue that spell check for notepad doesn't make that much difference to install size, just curious if "clippy" is still hiding in there somewhere ?

    8 0 Reply
    1. MSArm
      Reply Icon

      Re: So IE is still win the build

      Yes clippy is still in there. It's clippy that displays the condescending messages when you're installing windows, like 'sit back and relax as we work our magic'

      1 1 Reply
  5. Zippy´s Sausage Factory

    "it seems like they really don't have a full grasp of what's going on"

    That feels like it could describe lots of Micros~1 efforts these days, to be honest.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like