Microsoft confirms MAPP proof-of-concept exploit code leak

Microsoft confirms MAPP proof-of-concept exploit code leak

Summary: The smoking gun that the leak came from Microsoft's information was contained in a string found in the Chinese proof-of-concept.

TOPICS: Microsoft, Security

An embarrassing leak within the Microsoft Active Protections Program (MAPP) has led to the publication of proof-of-concept code for a serious security hole in all versions of Windows, Microsoft confirmed late Friday.

The company's confirmation of the MAPP leak follows the release of code on a Chinese-language forum that provides a roadmap for hackers to launch remote code execution attacks against a flaw in Microsoft's implementation of the RDP protocol.

The details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Program (MAPP) partners. Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements.

According to Yunsun Wee, a director in Microsoft's Trustworthy Computing group, the public public proof-of-concept code results only in denial-of-service crashes against unpatched Windows systems.

[ SEE: Exploit code published for RDP worm hole; Does Microsoft have a leak? ]

"We continue to watch the threat landscape and we are not aware of public proof-of-concept code that results in remote code execution," Wee added.

follow Ryan Naraine on twitter

We recommend customers deploy MS12-020 as soon as possible, as this security update protects against attempts to exploit CVE-2012-0002. Additionally we have offered a one-click Fix It to help mitigate risk for those customers who need time to test the update before deploying it," she added.

Microsoft did not address details of the MAPP leak, which effectively gave outsiders advance notice -- and proof-of-concept code -- about the vulnerability before the patch was released.  The company made it clear that security vulnerability details are provided to MAPP partners "under a strict Non-Disclosure Agreement" but there's no word on whether the leak came from a third-party or from Microsoft's own internal process.

The company declined to provide a spokesperson for a full interview.

[ SEE: Microsoft: Expect exploits for critical Windows worm hole ]

The smoking gun that the leak came from Microsoft's information was contained in a string found in the Chinese proof-of-concept.  It references "MSRC11678," which is the Microsoft Security Response Center case number that was assigned to the vulnerability when it was reported by TippingPoint Zero Day Initiative (ZDI)

Even without that string, researcher Luigi Auriemma said he was 100% sure the leak came from Microsoft because of of several unique characteristics.

Auriemma, who was credited with finding and reporting the vulnerability, has published details of those characteristics alongside some not-so-veiled criticisms of the software vendor.

Separately, exploit writers at Core Security has pushed out a "commercial grade exploit" to its IMPACT pen-testing tool.  Core said its exploit triggers a memory corruption vulnerability in the Remote Desktop Service by sending a malformed packet to the 3389/TCP port.  It is currently shipped as a denial-of-service module in IMPACT.

Security researchers have set up a special website ( to monitor the creation and release of exploits targeting this vulnerability.

Topics: Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • We won't know the whole truth and nothing but the truth till

    Loverock Davidson tell us the story :-)
    Over and Out
  • Not really that big of a deal

    The RDP exploit is a big deal, but the fact that it was leaked is not. The most likely explanation is that one of the partners within the MAPP program was hacked. In this day and age that's hardly surprising.

    In the end all this does is make MAPP partners do some serious house cleaning. In the end that's a good thing.
    • It IS a big deal if hackers access stuff inside Microsoft at Redmond.

      A lleak is one thing. But we have to wonder whether there is something more like a remote backdoor opened up by Chinese crackers into all Windows OSes and whether Microsoft have been penetrated. Let's hope MS do due diligence with their own network security and come up with some proper reassurances.
    • Not really that big of a deal

      I agree some house cleaning will occur which is good for everyone. To the MS haters this can happen to any organization you have to trust your employees and the organizations you work with...without it we'd all be pointing fingers. Software is software...written by people so mistakes happen and unfortunately some people are scum and like to leak things they shouldn't.
    • Not to worry? Yes! For those who do not use Windows

      Imagine, for a moment, that those "chinese" hackers have penetrated Microsoft and are lurking on their internal network and "security" computers.

      Let's hope, not, PRAY that this is not the case.

      Because if it is, any patch Microsoft sends out via Windows Update may contain malicious code, a backdoor or whatever, waiting to be triggered by someone. Millions of Windows computers blindly trust Windows Update and will install whatever junk they receive from there, the instant it is published.

      Of course, we should all trust Microsoft, because their Windows software has been rock solid and impenetrable for the past 25 years.
  • Under strict nondisclosure

    So giving these partners the RDP backdoor to Windows is A-OK, because they pinkie-swear not to share it with Chinese hackers?

    Whose bright idea was that?
  • The question is...

    Why is anyone still using Microsoft products? Every day, something awful is breaking in, over and over. If a company uses this software and is hacked, could investors sue for malfeasance because the company should have known better?
    Tony Burzio
    • ZDNet damage control here.

      Gee, what would happen if Microsoft Windows source code was ever released into public domain like Linux has been doing for it's kernel and OS since 1991? The Microsoft world as we know it would stop almost instantly. I have been using Linux for 10+ years with no AV and have never had to think about any of this stuff.

      I just ordered a Rasberry Pi for $35.00 and am planning to install the Fedora Remix (comes with MIT programming software) on it. It is not compatible with Windows. They sold their first stockpile of 10,000 out in a couple of hours and the websites they were using crashed after that from the traffic. It is a credit card sized computer with an ARM processor that can play blue ray video and boots from an SD card using Linux.

      Another missed opportunity for the boys at Microsoft. They are getting pushed further and further into the ground and even the ZDNet shill propaganda can't save them. Microsoft is synonymous with spending money on anti-virus products, virus, botnet, rootkit, spyware and malware infections, calling Geek Squad or Debug-it, downtime, missed school projects and double dipping when users are forced to by a new system without credit for their old license(s). They are going down with a clenched fist, apparently. Supporting school age kids using Linux and LibreOffice is effortless, i.e. no 11th. hour emergency service calls.
      • Windows Ce

        Uh windows CE has supported ARM chips for 10 years now! and i have run windows since 1.0 with no antivirus just common sense and i have never been infected in that time. not ms's fault that you cant use windows with common sense.
      • Re: Viper 589

        Windows CE? The recent versions make it clear they don't do Windows. (Who want's a 1996 based CE?, unless you know of a complete rewrite.) Arm is a Linux universe and since Windows is closed source and no one but Microsoft can work on it, where does that leave it compared to open source, where Seneca University has taken it upon themselves to develop Linux for this ARM? No, you can CE as ancient (non-bloated) history, but Microsoft is out of the game here. No one is even discussing using it -- it's already too far behind.

        [i] The Linux being used here is full bodied, with the API being adjusted for ARM. Windows XP or 7 or 8 isn't an option for the Rasberry Pi. The really funny thing is if anything has to be done with Windows, Microsoft has to do it. Their closed source, proprietary, money making business model has effectively locked them out. Linux can be modified and distributed (in this case by Seneca University) by anyone. Linux is starting to cover the globe, while Microsoft is just concerned with making profit - and it is choking them. What kind of profit are they going to have when Linux is being used everywhere? This Rasberry Pi computer board is the product of a full charity.- Proceeds are going to charity. Profit is not a factor in the Linux business model. [Edited 3-21-2012 09:47] [/i]

        Wow, what an argument for not using AV with Windows. Common Sense? Really? I guess I missed it, Windows is totally secure and protection is just a matter of common sense and all infections are the result of stupid people and the lack of common sense? No, Windows security is non-existent to terrible.
  • be careful.

    WHAT'S ABOUT Windows 8 ???