Microsoft confirms MAPP proof-of-concept exploit code leak

Summary:The smoking gun that the leak came from Microsoft's information was contained in a string found in the Chinese proof-of-concept.

An embarrassing leak within the Microsoft Active Protections Program (MAPP) has led to the publication of proof-of-concept code for a serious security hole in all versions of Windows, Microsoft confirmed late Friday.

The company's confirmation of the MAPP leak follows the release of code on a Chinese-language forum that provides a roadmap for hackers to launch remote code execution attacks against a flaw in Microsoft's implementation of the RDP protocol.

The details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Program (MAPP) partners. Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements.

According to Yunsun Wee, a director in Microsoft's Trustworthy Computing group, the public public proof-of-concept code results only in denial-of-service crashes against unpatched Windows systems.

[ SEE: Exploit code published for RDP worm hole; Does Microsoft have a leak? ]

"We continue to watch the threat landscape and we are not aware of public proof-of-concept code that results in remote code execution," Wee added.

follow Ryan Naraine on twitter

We recommend customers deploy MS12-020 as soon as possible, as this security update protects against attempts to exploit CVE-2012-0002. Additionally we have offered a one-click Fix It to help mitigate risk for those customers who need time to test the update before deploying it," she added.

Microsoft did not address details of the MAPP leak, which effectively gave outsiders advance notice -- and proof-of-concept code -- about the vulnerability before the patch was released.  The company made it clear that security vulnerability details are provided to MAPP partners "under a strict Non-Disclosure Agreement" but there's no word on whether the leak came from a third-party or from Microsoft's own internal process.

The company declined to provide a spokesperson for a full interview.

[ SEE: Microsoft: Expect exploits for critical Windows worm hole ]

The smoking gun that the leak came from Microsoft's information was contained in a string found in the Chinese proof-of-concept.  It references "MSRC11678," which is the Microsoft Security Response Center case number that was assigned to the vulnerability when it was reported by TippingPoint Zero Day Initiative (ZDI)

Even without that string, researcher Luigi Auriemma said he was 100% sure the leak came from Microsoft because of of several unique characteristics.

Auriemma, who was credited with finding and reporting the vulnerability, has published details of those characteristics alongside some not-so-veiled criticisms of the software vendor.

Separately, exploit writers at Core Security has pushed out a "commercial grade exploit" to its IMPACT pen-testing tool.  Core said its exploit triggers a memory corruption vulnerability in the Remote Desktop Service by sending a malformed packet to the 3389/TCP port.  It is currently shipped as a denial-of-service module in IMPACT.

Security researchers have set up a special website (http://istherdpexploitoutyet.com/) to monitor the creation and release of exploits targeting this vulnerability.

Topics: Microsoft, Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.