Did Microsoft Leak a Critical Windows Exploit to Hackers? Exploit originated on Chinese website.
March 16th, 2012
PCMAG.com / By Damon Poeter
Hold the phone—is Microsoft leaking attack vectors for its own Windows vulnerabilities to hackers these days? Probably not intentionally, but the Italian security researcher who discovered a critical vulnerability in the Microsoft Windows' Remote Desktop Protocol (RDP) said Friday that he believes a barebones proof-of-concept (PoF) attack for the exploit that recently turned up on a Chinese website originated with the software giant or one of its security partners.
Microsoft earlier this week issued a patch for a critical flaw in RDP that could be used to crash computers running all versions of Windows, going so far as to add the warning to users that the company "strongly encourage[s] you to make a special priority of applying this particular update."
Just a few days after the Patch Tuesday update, security researchers began reporting that a legitimate working exploit had been made available online which is capable of crashing unpatched computers running Windows 7 or causing a Distributed Denial-of-Service (DDoS) condition on Windows XP machines.
All in a day's work for the tight-knit cybersecurity community, but the researcher who originally notified Microsoft of the GDP vulnerability thinks the exploit smells pretty fishy.
Luigi Auriemma, who discovered the vulnerability in May 2011 and reported it to Microsoft through ZDI/TippingPoint last August, spelled out his concerns in an Internet posting:
"Between 15 and 16 Mar someone released a precompiled console executable called "rdpclient.exe" somewhere on a chinese website (is http://115.com/file/be27pff7 the first location?). The program is a basic and poorly written proof-of-concept of the vulnerability and uses pre-built packets.
"After checking the packet dumped from the executable (the first python PoC) I noticed that the pre-built packet was the same one I sent to ZDI for quickly testing the vulnerability. It was very late here in Italy (05:00) so at the moment I thought that these "chinese hackers" were really very similar to me :)"
Similar enough to actually be him, the researcher decided.
Further study of rdpclient.exe convinced Auriemma that it contained the pre-built packet he himself had constructed and sent along to Microsoft. That led him to speculate that the full executable PoC that turned up on the Chinese website was actually compiled by Microsoft itself, passed along to antivirus developer partners in the Microsoft Active Protections Program (MAPP) to devise a fix, and somewhere along the way got leaked out by Microsoft or one of its partners.
Microsoft isn't saying if any of this actually happened yet, but did give PCMag the following statement from Yunsun Wee, director of Trustworthy Computing:
"Microsoft is actively investigating the disclosure of shared MAPP vulnerability details and will take the necessary actions to protect customers. Given that a proof-of-concept is publically available, we recommend customers apply the security update (MS12-020) as soon as possible to be protected."
We'll say it again—patch that Windows box now!
With additional reporting by Fahmida Y. Rashid.