News

Microsoft Security Partner May Have Leaked Windows Exploit Code

Portions of an exploit code that appeared in the wild last Thursday may have been leaked by a Microsoft security partner, Microsoft said recently.

The leaked exploit revolves around a "critical" patch that Microsoft released last Tuesday as part of its March patch rollout. The patch addresses a Windows Remote Desktop Protocol (RDP) flaw, originally discovered in May 2011 by Italian security researcher Luigi Auriemma.

As Auriemma explained in a blog post last week, he developed proof-of-concept (POC) code for the flaw and then sold it to Hewlett-Packard last May as part of HP's TippingPoint's Zero Day Initiative program. HP turned the code over to Microsoft in June 2011.

In November 2011, Microsoft modified Auriemma's data packet into executable code that could take advantage of the RDP flaw. However, many lines of code, including Auriemma's data packet, later appeared in the exploit code that was released on Thursday on a Chinese Web site. While Auriemma admits that it was his data packet that was found online, he claims no responsibility for the leak.

"No details and proof-of-concept were released by me after the releasing of the patch," Auriemma wrote. "I was waiting some days and I was really curious to know who would have been able to spot the one-day (like a simple poc) first. After all it was the bug and the challenge of the moment so why [ruin] the party."

He noted that the timing of the leak -- a mere two days after Microsoft's RDP fix -- and the fact that the code had not been publicly available suggested an internal leak. The leak must have occurred after Microsoft sent its executable code to its partners to create "antivirus signatures," Auriemma theorized. Microsoft agreed with that contention.

"The details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Program (MAPP) partners," wrote Yunsun Wee, director of Microsoft's Trustworthy Computing group, in a blog post on Friday. "Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements."

Auriemma provided some advice about the RDP flaw and POC exploit, describing it as a "use-after-free" memory management bug. While he said his exploit is basic, an experienced hacker would have no problem turning it into a working attack.

"Having access to the patches already makes it possible to deduce the vulnerability details via bindiffing (i.e. comparing the patched binaries to unpatched binaries), but concluding how to trigger the vulnerability is not always so straight-forward," Auriemma wrote. "Having a PoC available, obviously, makes this very clear."

It is strongly recommended that those who have not installed Microsoft's security bulletin MS12-020 fix do so as soon as possible. And if that's not possible, Microsoft has provided a workaround in that bulletin.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

  • Report: Cost, Sustainability Drive DaaS Adoption Beyond Remote Work

    Gartner's 2025 Magic Quadrant for Desktop as a Service reveals that while secure remote access remains a key driver of DaaS adoption, a growing number of deployments now focus on broader efficiency goals.

  • Windows 365 Reserve, Microsoft's Cloud PC Rental Service, Hits Preview

    Microsoft has launched a limited public preview of its new "Windows 365 Reserve" service, which lets organizations rent cloud PC instances in the event their Windows devices are stolen, lost or damaged.

  • Hands-On AI Skills Now Outshine Certs in Salary Stakes

    For AI-related roles, employers are prioritizing verifiable, hands-on abilities over framed certificates -- and they're paying a premium for it.

  • Roadblocks in Enterprise AI: Data and Skills Shortfalls Could Cost Millions

    Businesses risk losing up to $87 million a year if they fail to catch up with AI innovation, according to the Couchbase FY 2026 CIO AI Survey released this month.