Microsoft may have leaked attack code for critical Windows bug, says researcher
Hackers rushing to create an exploit for worm-ready RDP flaw may have gotten help from Microsoft or one of its AV partners
Computerworld - Hackers who posted a barebones proof-of-concept attack for a critical Windows vulnerability may have obtained some of the code from Microsoft or one of its antivirus partners, the bug's finder said today.
Luigi Auriemma, an Italian security researcher who discovered the vulnerability in Windows' Remote Desktop Protocol (RDP) in May 2011, then submitted it to a Hewlett-Packard bug bounty program, spelled out the leak theory in a long post to his personal blog Friday.
On Tuesday, Microsoft updated all flavors of Windows to patch the critical RDP vulnerability, telling customers "[We] strongly encourage you to make a special priority of applying this particular update."
That same day, several security researchers predicted attackers would quickly craft a working exploit, and would probably tuck it into a worm able to infect any unpatched PC or server that had RDP enabled.
Auriemma asserted that Microsoft gave hackers a head start.
The data packet used by the proof-of-concept (PoC) -- which first appeared on a Chinese website, according to Trustwave's SpiderLabs -- was the same one he had submitted to HP TippingPoint's Zero Day Initiative (ZDI) as part of the verification process to obtain his bug bounty.
But the executable code -- which used Auriemma's data packet to trigger the RDP vulnerability -- showed signs of having been made by Microsoft months after ZDI passed on its findings to the Redmond, Wash. developer. "The executable PoC was compiled in November 2011 and contains some debugging strings like 'MSRC11678' which is a clear reference to the Microsoft Security Response Center," Auriemma said.
"In short it seems written by Microsoft for [its] internal tests and was leaked probably during its distribution to their 'partners' for the creation of antivirus signatures and so on," Auriemma charged. "The other possible scenario is [that] a Microsoft employee was [the] direct or indirect source of the leak. [A] hacker intrusion looks the less probable scenario at the moment."
The partners Auriemma referred to are the antivirus firms that participate in the Microsoft Active Protection Program (MAPP), where Microsoft shares vulnerability information with select security companies before a patch goes public. The goal of MAPP is to give antivirus vendors more time to craft exploit detection signatures.
If a MAPP partner was responsible for the leak, "It's the epic fail of the whole system," argued Auriemma.
Microsoft did not reply to a request for comment on Auriemma's claims.
In a Twitter message Friday, ZDI denied it was the source of the leak.
"We are 100% confident that the leaked info regarding MS12-020 did not come from the ZDI," the team said. "For further information, please query Microsoft."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Cybercrime and Hacking White Papers | Webcasts