The case of the recently fixed Windows MSHTML vulnerability (CVE-2024-43461) shows that Microsoft did not react seriously despite warnings from two manufacturers (Trend Micro and CheckPoint), even though the gap had already been exploited by cyber attackers. A comment.
The vulnerability was first disclosed in September 2024 as part of Patch Tuesday, but was only subsequently marked as already exploited. It was used in zero-day attacks by the hacker group Void Bansheeto install malicious software such as the Atlantida infostealer and steal sensitive data. Richard Werner, Security Advisor at Trend Micro, said: "We should be aware that there are companies in the IT industry on which entire countries depend. These companies will try to impose their ideas - whether we like it or not."
Information about security gaps is mandatory
Manufacturers have a duty to inform their customers about the dangers of security gaps. Most people already understand that their customers are directly vulnerable and that any problems that arise fall back on the manufacturer. Providing this information is not just a "nice to have" but also a necessary measure for self-protection. But that is just the tip of the iceberg.
Because there is a lot going on under the patch surface. This year we will probably break the 30.000 mark for registered security vulnerabilities for the first time. In addition, a new vulnerability is currently being discovered by criminals every three days on average - a total of 150 in 2023. The same software products are often the focus of attention because patches are developed too quickly, poorly or inadequately. In principle, criminals only have to look in the immediate vicinity of known vulnerabilities to find new vulnerabilities.
Most of them are not discovered by the companies themselves, but by independent researchers. They either report their discoveries to the manufacturers or sell them underground. The way a company deals with honest finders can therefore be crucial. This primarily means communication. Are finders taken seriously? Is the problem understood? Is what a researcher has done understood?
Security researchers are disappointed with manufacturers
Richard Werner, Security Advisor at Trend Micro (Image: Trend Micro).
Security researchers are increasingly criticizing the behavior of manufacturers. It is particularly annoying when suggestions for the classification of criticality in the CVSS (Common Vulnerability Scoring System) are downgraded by the manufacturer without any comprehensible reason. This makes it difficult for researchers to judge whether the downgrade is justified or whether the problem was simply not understood correctly. In addition, honest finders themselves invest a lot of time and effort in closing such gaps. There is therefore a certain level of etiquette in order to be able to work together constructively in the future. But if new or old problems with your own software are repeatedly brought up because there has been insufficient communication beforehand, politeness is lost - on both sides.
These conflicts and tensions could actually be avoided. But a look at social media shows that such incidents happen almost every day. Nervousness in the industry is widespread and is reflected in many details. Overwork of employees due to streamlined processes to save costs is certainly one of the causes. Everything should be faster and more effective, but that does not necessarily lead to better quality or greater customer satisfaction.
This behavior is not uncommon in the software industry. It occurs especially where an industry giant has enough market power to prevail even in the face of external resistance. Other companies often follow this example reluctantly because they have no other choice. We should be aware that there are companies in the IT industry on which entire countries depend. These companies will try to impose their ideas - whether we like it or not.
More at TrendMicro.com
About Trend Micro As one of the world's leading providers of IT security, Trend Micro helps create a secure world for digital data exchange. With over 30 years of security expertise, global threat research, and constant innovation, Trend Micro offers protection for businesses, government agencies, and consumers. Thanks to our XGen™ security strategy, our solutions benefit from a cross-generational combination of defense techniques optimized for leading-edge environments. Networked threat information enables better and faster protection. Optimized for cloud workloads, endpoints, email, the IIoT and networks, our connected solutions provide centralized visibility across the entire enterprise for faster threat detection and response.