Microsoft may have leaked attack code for critical Windows bug, says researcher
Hackers rushing to create an exploit for worm-ready RDP flaw may have gotten help from Microsoft or one of its AV partners
Computerworld - Hackers who posted a barebones proof-of-concept attack for a critical Windows vulnerability may have obtained some of the code from Microsoft or one of its antivirus partners, the bug's finder said today.
Luigi Auriemma, an Italian security researcher who discovered the vulnerability in Windows' Remote Desktop Protocol (RDP) in May 2011, then submitted it to a Hewlett-Packard bug bounty program, spelled out the leak theory in a long post to his personal blog Friday.
On Tuesday, Microsoft updated all flavors of Windows to patch the critical RDP vulnerability, telling customers "[We] strongly encourage you to make a special priority of applying this particular update."
That same day, several security researchers predicted attackers would quickly craft a working exploit, and would probably tuck it into a worm able to infect any unpatched PC or server that had RDP enabled.
Auriemma asserted that Microsoft gave hackers a head start.
The data packet used by the proof-of-concept (PoC) -- which first appeared on a Chinese website, according to Trustwave's SpiderLabs -- was the same one he had submitted to HP TippingPoint's Zero Day Initiative (ZDI) as part of the verification process to obtain his bug bounty.
But the executable code -- which used Auriemma's data packet to trigger the RDP vulnerability -- showed signs of having been made by Microsoft months after ZDI passed on its findings to the Redmond, Wash. developer. "The executable PoC was compiled in November 2011 and contains some debugging strings like 'MSRC11678' which is a clear reference to the Microsoft Security Response Center," Auriemma said.
"In short it seems written by Microsoft for [its] internal tests and was leaked probably during its distribution to their 'partners' for the creation of antivirus signatures and so on," Auriemma charged. "The other possible scenario is [that] a Microsoft employee was [the] direct or indirect source of the leak. [A] hacker intrusion looks the less probable scenario at the moment."
The partners Auriemma referred to are the antivirus firms that participate in the Microsoft Active Protection Program (MAPP), where Microsoft shares vulnerability information with select security companies before a patch goes public. The goal of MAPP is to give antivirus vendors more time to craft exploit detection signatures.
If a MAPP partner was responsible for the leak, "It's the epic fail of the whole system," argued Auriemma.
Microsoft did not reply to a request for comment on Auriemma's claims.
In a Twitter message Friday, ZDI denied it was the source of the leak.
"We are 100% confident that the leaked info regarding MS12-020 did not come from the ZDI," the team said. "For further information, please query Microsoft."
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Infographic: Converged Infrastructure Benefits This Infographic quantifies the savings organizations are realizing from increased deployment speed, higher availability, and lower annual costs.
- CIOs Deliver Productivity Breakthroughs with Intelligent Digital Signage Retailers have long recognized the influence that digital signage provides over a shopper's point-of-purchase decision making process.
- Going Paperless? Here's What You Need to Think About As makers of some of the world's most popular PDF solutions, we often consult with businesses & governmental agencies that have the goal...
- The Big Data Opportunity for HR and Finance If CEOs, CFOs, CIOs, and CHROs want to drive their businesses forward, they will need to quickly recognize the enormous value of big...
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to...
- Building Tomorrow's Infrastructure Listen to this podcast to discover how Crider Foods worked with PC Connection to update their IT infrastructure, while maintaining compliance and control. All Cybercrime and Hacking White Papers | Webcasts