News

Microsoft Security Partner May Have Leaked Windows Exploit Code

Portions of an exploit code that appeared in the wild last Thursday may have been leaked by a Microsoft security partner, Microsoft said recently.

The leaked exploit revolves around a "critical" patch that Microsoft released last Tuesday as part of its March patch rollout. The patch addresses a Windows Remote Desktop Protocol (RDP) flaw, originally discovered in May 2011 by Italian security researcher Luigi Auriemma.

As Auriemma explained in a blog post last week, he developed proof-of-concept (POC) code for the flaw and then sold it to Hewlett-Packard last May as part of HP's TippingPoint's Zero Day Initiative program. HP turned the code over to Microsoft in June 2011.

In November 2011, Microsoft modified Auriemma's data packet into executable code that could take advantage of the RDP flaw. However, many lines of code, including Auriemma's data packet, later appeared in the exploit code that was released on Thursday on a Chinese Web site. While Auriemma admits that it was his data packet that was found online, he claims no responsibility for the leak.

"No details and proof-of-concept were released by me after the releasing of the patch," Auriemma wrote. "I was waiting some days and I was really curious to know who would have been able to spot the one-day (like a simple poc) first. After all it was the bug and the challenge of the moment so why [ruin] the party."

He noted that the timing of the leak -- a mere two days after Microsoft's RDP fix -- and the fact that the code had not been publicly available suggested an internal leak. The leak must have occurred after Microsoft sent its executable code to its partners to create "antivirus signatures," Auriemma theorized. Microsoft agreed with that contention.

"The details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Program (MAPP) partners," wrote Yunsun Wee, director of Microsoft's Trustworthy Computing group, in a blog post on Friday. "Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements."

Auriemma provided some advice about the RDP flaw and POC exploit, describing it as a "use-after-free" memory management bug. While he said his exploit is basic, an experienced hacker would have no problem turning it into a working attack.

"Having access to the patches already makes it possible to deduce the vulnerability details via bindiffing (i.e. comparing the patched binaries to unpatched binaries), but concluding how to trigger the vulnerability is not always so straight-forward," Auriemma wrote. "Having a PoC available, obviously, makes this very clear."

It is strongly recommended that those who have not installed Microsoft's security bulletin MS12-020 fix do so as soon as possible. And if that's not possible, Microsoft has provided a workaround in that bulletin.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured