Microsoft blames security info-sharing program for attack code leak

Trying to figure out how exploit example shared with AV partners ended in hackers' hands

Microsoft on Friday confirmed that sample attack code created by the company had likely leaked to hackers from a program it runs with antivirus vendors.

"Details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protection Program (MAPP) partners," Yunsun Wee, a director with Microsoft's Trustworthy Computing group, said in a statement posted on the company's site .

"Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements," Wee added.

Under MAPP, Microsoft provides select antivirus companies with technical information about bugs before Microsoft patches the flaws. MAPP is meant to give third-party security vendors advance warning so that they can craft detection signatures.

Among the things Microsoft shares with MAPP members, according to a program FAQ , are "proof-of-concept or repro tools that further illuminate the issue and help with additional protection enhancement."

The Friday acknowledgment by Microsoft was prompted by claims earlier in the day by Luigi Auriemma , the Italian researcher who reported the vulnerability in Windows Remote Desktop Protocol (RDP) in May 2011.

Auriemma said that code found in a proof-of-concept exploit on a Chinese website was identical to what he had provided HP TippingPoint's Zero Day Initiative (ZDI) bug bounty program. His code was then used by ZDI to create a working exploit as part of the bounty program's bug verification work.

ZDI then passed along information about the RDP vulnerability, including the exploit that used Auriemma's code, to Microsoft.

According to Auriemma, the public exploit included the string "MSRC11678," a reference to a Microsoft Security Response Center (MSRC) case number, indicating that the leak came from Microsoft.

ZDI denied it had been the source of the leak. "We're 100% confident that the leak didn't come from us, and Microsoft is comfortable with us saying that," Aaron Portnoy, the leader of TippingPoint's security research team and the had of ZDI, said in an interview Friday.

Portnoy also described the chain of custody of Auriemma's code -- a specially-constructed data packet that triggers the RDP vulnerability -- from its May 2011 submission to ZDI to its inclusion in the concept exploit that ZDI provided Microsoft in August 2011 as part of a broader analysis of the vulnerability.

The proof-of-concept exploit now circulating among hackers does not allow remote code execution -- necessary to compromise a PC or server, and then plant malware on the system -- but instead crashes a vulnerable machine, said Portnoy. The result: The classic Windows "Blue Screen of Death."

Portnoy also echoed what Microsoft's Wee said of the similarity between the public exploit and Auriemma's code. "We can confirm that the executable [exploit] does have a packet that was part of what Luigi gave us," said Portnoy.

Microsoft launched MAPP in 2008. The program has 79 security firm partners, including AVG, Cisco, Kaspersky, McAfee, Trend Micro and Symantec, as well as several Chinese antivirus companies. A full list of MAPP members can be found on this Microsoft Web page .

On Friday, Wee did not say whether Microsoft had a list of suspects, but noted that all information it passes to MAPP partners was under a "a strict Non-Disclosure Agreement (NDA)." If the leak did originate with a MAPP partner, it would be the first ever for the program.

Microsoft's MS12-020 update patches the RDP bug, and can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His email address is gkeizer@computerworld.com .

See more by Gregg Keizer on Computerworld.com .

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

FILL IN THE SURVEY - AND YOU COULD BE A WINNER: ARN wants to hear from YOU. Tell us how you run a successful business and you could win an adrenaline-fuelled adventure of your choice. COMPLETE THE ARN SURVEY.

More about Apple Computers Australia Pty LtdAVG Technologies AUCisco Systems Australia Pty LtdGoogle AustraliaHewlett-Packard AustraliaHPKasperskyKasperskyMcAfee Australia Pty LtdMicrosoft Pty LtdSymantecTippingPointTippingPointTopicTrend Micro Australia Pty Ltd

ARN Directory | Distributors relevant to this article

ARN Directory | Vendors relevant to this article

Comments

Comments are now closed

 

Latest News

01:38PM
AWS Cloud boosts Bulletproof revenues
01:02PM
WESTCON IMAGINE 2014: Build a private Cloud but don’t forget the software, says ...
12:05PM
Symantec opens Security Operations Centre in Sydney (+30 photos)
11:52AM
Bitcoin could be undermined by "unworkable" tax regime: ADCCA
More News
21 Aug
CAST 611 Advanced Penetration Testing
25 Aug
CA IT Leaders Forum ’14 Brisbane
26 Aug
Integrate 2014 Exhibition & Conference
26 Aug
CA Expo ’14 Sydney
View all events