Microsoft may have leaked attack code for critical Windows bug, says researcher
Hackers rushing to create an exploit for worm-ready RDP flaw may have gotten help from Microsoft or one of its AV partners
Computerworld - Hackers who posted a barebones proof-of-concept attack for a critical Windows vulnerability may have obtained some of the code from Microsoft or one of its antivirus partners, the bug's finder said today.
Luigi Auriemma, an Italian security researcher who discovered the vulnerability in Windows' Remote Desktop Protocol (RDP) in May 2011, then submitted it to a Hewlett-Packard bug bounty program, spelled out the leak theory in a long post to his personal blog Friday.
On Tuesday, Microsoft updated all flavors of Windows to patch the critical RDP vulnerability, telling customers "[We] strongly encourage you to make a special priority of applying this particular update."
That same day, several security researchers predicted attackers would quickly craft a working exploit, and would probably tuck it into a worm able to infect any unpatched PC or server that had RDP enabled.
Auriemma asserted that Microsoft gave hackers a head start.
The data packet used by the proof-of-concept (PoC) -- which first appeared on a Chinese website, according to Trustwave's SpiderLabs -- was the same one he had submitted to HP TippingPoint's Zero Day Initiative (ZDI) as part of the verification process to obtain his bug bounty.
But the executable code -- which used Auriemma's data packet to trigger the RDP vulnerability -- showed signs of having been made by Microsoft months after ZDI passed on its findings to the Redmond, Wash. developer. "The executable PoC was compiled in November 2011 and contains some debugging strings like 'MSRC11678' which is a clear reference to the Microsoft Security Response Center," Auriemma said.
"In short it seems written by Microsoft for [its] internal tests and was leaked probably during its distribution to their 'partners' for the creation of antivirus signatures and so on," Auriemma charged. "The other possible scenario is [that] a Microsoft employee was [the] direct or indirect source of the leak. [A] hacker intrusion looks the less probable scenario at the moment."
The partners Auriemma referred to are the antivirus firms that participate in the Microsoft Active Protection Program (MAPP), where Microsoft shares vulnerability information with select security companies before a patch goes public. The goal of MAPP is to give antivirus vendors more time to craft exploit detection signatures.
If a MAPP partner was responsible for the leak, "It's the epic fail of the whole system," argued Auriemma.
Microsoft did not reply to a request for comment on Auriemma's claims.
In a Twitter message Friday, ZDI denied it was the source of the leak.
"We are 100% confident that the leaked info regarding MS12-020 did not come from the ZDI," the team said. "For further information, please query Microsoft."
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Cybersecurity for Dummies eBook This book provides an in-depth examination of real-world attacks and APTs, the shortcomings of legacy security solutions, the capabilities of next-generation firewalls, and...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different.... All Cybercrime and Hacking White Papers | Webcasts