Microsoft kicks Chinese company out of vulnerability sharing program

Microsoft has kicked a Chinese security company out of its MAPP vulnerability information sharing program following a recent leak of proof-of-concept code for a serious security hole in all versions of Windows.

Microsoft identified the company as Hangzhou DPTech Technologies Co., Ltd, a Chinese outfit that describes itself as a "high-tech company integrating research and development, manufacturing and sales in the network security industry."

After an investigation into the embarrassing proof-of-concept leak, Microsoft said Hangzhou DPTech Technologies breached the strict non-disclosure agreement that is meant to ensure that sensitive information doesn't fall into the wrong hands.

"Microsoft takes breaches of our NDAs very seriously and has removed this partner from the MAPP Program," according to Yunsun Wee, director, Microsoft Trustworthy Computing.

[ Microsoft confirms MAPP proof-of-concept exploit code leak ]

Starting this month, Wee said Microsoft will strengthen existing controls and and take actions to better protect the MAPP information information.

"We believe that these enhancements will better protect our information, while furthering customer protection by aiding partners developing active protections," she said.

Microsoft did not elaborate on the new controls.  A separate blog post on Microsoft's eco-strat blog provides a detailed overview of MAPP and outlines that the benefits of the program outweighs the occasional information leakage problem.

[ Does one bad apple spoil Microsoft's vulnerability sharing program? ]

Ever since MAPP launched in August 2008, there have been at least three confirmed leaks that included the publication of proof-of-concept code snippets on Chinese-language web sites.  Microsoft previously suspended an unidentified Chinese security vendor from the program but there remains a legitimate risk that technical details of high-risk vulnerabilities could reach cyber-criminals before Windows users get a change to apply security patches.

MAPP data given to security vendors ahead of Patch Tuesday includes:

• A detailed technical write-up on the vulnerability;
• A step-by-step process that they can follow to parse an affected file format, or network protocol, that identifies which elements need to have particular values, or exceed specific boundaries, in order to trigger the security vulnerability;
• Information on how to detect the vulnerability, or exploitation thereof (e.g. event log entries, or stack traces);
• A Proof-of-Concept file that is in itself not malicious, but contains the specific condition that will trigger the vulnerability. Partners can leverage this file to test detection signatures they develop using the step-by-step process we provide.