Skip the navigation

Microsoft may have leaked attack code for critical Windows bug, says researcher

Hackers rushing to create an exploit for worm-ready RDP flaw may have gotten help from Microsoft or one of its AV partners

March 16, 2012 03:14 PM ET

Computerworld - Hackers who posted a barebones proof-of-concept attack for a critical Windows vulnerability may have obtained some of the code from Microsoft or one of its antivirus partners, the bug's finder said today.

Luigi Auriemma, an Italian security researcher who discovered the vulnerability in Windows' Remote Desktop Protocol (RDP) in May 2011, then submitted it to a Hewlett-Packard bug bounty program, spelled out the leak theory in a long post to his personal blog Friday.

On Tuesday, Microsoft updated all flavors of Windows to patch the critical RDP vulnerability, telling customers "[We] strongly encourage you to make a special priority of applying this particular update."

That same day, several security researchers predicted attackers would quickly craft a working exploit, and would probably tuck it into a worm able to infect any unpatched PC or server that had RDP enabled.

Auriemma asserted that Microsoft gave hackers a head start.

The data packet used by the proof-of-concept (PoC) -- which first appeared on a Chinese website, according to Trustwave's SpiderLabs -- was the same one he had submitted to HP TippingPoint's Zero Day Initiative (ZDI) as part of the verification process to obtain his bug bounty.

But the executable code -- which used Auriemma's data packet to trigger the RDP vulnerability -- showed signs of having been made by Microsoft months after ZDI passed on its findings to the Redmond, Wash. developer. "The executable PoC was compiled in November 2011 and contains some debugging strings like 'MSRC11678' which is a clear reference to the Microsoft Security Response Center," Auriemma said.

"In short it seems written by Microsoft for [its] internal tests and was leaked probably during its distribution to their 'partners' for the creation of antivirus signatures and so on," Auriemma charged. "The other possible scenario is [that] a Microsoft employee was [the] direct or indirect source of the leak. [A] hacker intrusion looks the less probable scenario at the moment."

The partners Auriemma referred to are the antivirus firms that participate in the Microsoft Active Protection Program (MAPP), where Microsoft shares vulnerability information with select security companies before a patch goes public. The goal of MAPP is to give antivirus vendors more time to craft exploit detection signatures.

If a MAPP partner was responsible for the leak, "It's the epic fail of the whole system," argued Auriemma.

Microsoft did not reply to a request for comment on Auriemma's claims.

In a Twitter message Friday, ZDI denied it was the source of the leak.

"We are 100% confident that the leaked info regarding MS12-020 did not come from the ZDI," the team said. "For further information, please query Microsoft."

Our Commenting Policies