Microsoft confirms MAPP proof-of-concept exploit code leak

The smoking gun that the leak came from Microsoft's information was contained in a string found in the Chinese proof-of-concept.
Written by Ryan Naraine, Contributor

An embarrassing leak within the Microsoft Active Protections Program (MAPP) has led to the publication of proof-of-concept code for a serious security hole in all versions of Windows, Microsoft confirmed late Friday.

The company's confirmation of the MAPP leak follows the release of code on a Chinese-language forum that provides a roadmap for hackers to launch remote code execution attacks against a flaw in Microsoft's implementation of the RDP protocol.

The details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Program (MAPP) partners. Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements.

According to Yunsun Wee, a director in Microsoft's Trustworthy Computing group, the public public proof-of-concept code results only in denial-of-service crashes against unpatched Windows systems.

[ SEE: Exploit code published for RDP worm hole; Does Microsoft have a leak? ]

"We continue to watch the threat landscape and we are not aware of public proof-of-concept code that results in remote code execution," Wee added.

We recommend customers deploy MS12-020 as soon as possible, as this security update protects against attempts to exploit CVE-2012-0002. Additionally we have offered a one-click Fix It to help mitigate risk for those customers who need time to test the update before deploying it," she added.

Microsoft did not address details of the MAPP leak, which effectively gave outsiders advance notice -- and proof-of-concept code -- about the vulnerability before the patch was released.  The company made it clear that security vulnerability details are provided to MAPP partners "under a strict Non-Disclosure Agreement" but there's no word on whether the leak came from a third-party or from Microsoft's own internal process.

The company declined to provide a spokesperson for a full interview.

[ SEE: Microsoft: Expect exploits for critical Windows worm hole ]

The smoking gun that the leak came from Microsoft's information was contained in a string found in the Chinese proof-of-concept.  It references "MSRC11678," which is the Microsoft Security Response Center case number that was assigned to the vulnerability when it was reported by TippingPoint Zero Day Initiative (ZDI)

Even without that string, researcher Luigi Auriemma said he was 100% sure the leak came from Microsoft because of of several unique characteristics.

Auriemma, who was credited with finding and reporting the vulnerability, has published details of those characteristics alongside some not-so-veiled criticisms of the software vendor.

Separately, exploit writers at Core Security has pushed out a "commercial grade exploit" to its IMPACT pen-testing tool.  Core said its exploit triggers a memory corruption vulnerability in the Remote Desktop Service by sending a malformed packet to the 3389/TCP port.  It is currently shipped as a denial-of-service module in IMPACT.

Security researchers have set up a special website (http://istherdpexploitoutyet.com/) to monitor the creation and release of exploits targeting this vulnerability.

Editorial standards