A screenshot from ZDNet shows the proof-of-concept exploit code leaked from Microsoft

Microsoft Active Protection Program Leak Leads to Publication of RDP Exploit Code

Add Your Comments

The publication of proof-of-concept code on a Chinese website may have been caused by a leak in the Microsoft Active Protections Program, Microsoft said in a statement on Friday.

This news comes as Microsoft announced it would compensate its cloud customers affected by the Azure outage last week.

According to a report by ZDNet, the code was released on a Chinese-language forum last week. Microsoft updated Windows on Tuesday to patch the RDP vulnerability, but researchers surmised that the code could be used by hackers to infect any unpatched PC or server that had RDP enabled, a report by PCWorld says.

“The details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Program partners,” Yunsun Wee, director of trustworthy computing at Microsoft said in a statement. “Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements.”

Microsoft launched its Active Protections Program in 2008 to provide vulnerability information to security software partners before its monthly security update with the idea that partners would have a head start on building customer protections. Security providers like Alert Logic, which joined in May 2011, are partners of the program. This leak illustrates that these types of vulnerability sharing programs are only effective when they are secure, and when every partner upholds a certain set of standards, including not sharing this information or receiving it with the intention of exploitation.

“Consistent with the charter of the MAPP program, we released details related to the vulnerabilities addressed in MS12-020 to MAPP partners under a strict Non-Disclosure Agreement in advance of releasing the security bulletin. Security software partners use this type of information to build enhanced customer protections that, in many cases, provide customers with more time to make optimal deployment decisions for their environments,” Wee said in a statement.

The program has been criticized from the beginning, as many security researchers claimed that the information would be beneficial to hackers, and may actually result in more and more sophistacated exploits. However, in the four years of the program, this is the first confirmed problem.

Security researcher Luigi Auriemma discovered the vulnerability in Windows’ Remote Desktop Protocol in May 2011, and he submitted the data packet to a HP bug bounty program, according to PCWorld.  According to the report, the data packet used by the proof-of-concept was the same one he submitted to TippingPoint Zero Day Initiative. He says the code seems to be written by Microsoft for internal tests and leaked during its distribution to partners. Auriemma told PCWorld that if a partner is responsible for the leak, it is an “epic fail of the whole system.”

Two weeks ago the WHIR published a feature on Microsoft’s service provide license agreement for web hosting providers.

Talk back: Are you part of Microsoft’s MAPP program? What do you think about the leak? How do you perceive these types of programs? Are they safe, or do you not trust the other partners? Let us know in the comments.

Add Your Comments

  • (will not be published)