Microsoft Security Partner May Have Leaked Windows Exploit Code
- By Chris Paoli
- March 19, 2012
Portions of an exploit code that appeared in the wild last Thursday may have been leaked by a Microsoft security partner, Microsoft said recently.
The leaked exploit revolves around a "critical" patch that Microsoft released last Tuesday as part of its March patch rollout. The patch addresses a Windows Remote Desktop Protocol (RDP)
flaw, originally discovered in May 2011 by Italian security researcher Luigi Auriemma.
As Auriemma explained in a blog post last week, he developed proof-of-concept (POC) code for the flaw and then sold it to Hewlett-Packard last May as part of HP's
TippingPoint's Zero Day Initiative program. HP turned the code
over to Microsoft in June 2011.
In November 2011, Microsoft modified Auriemma's data packet into executable code that could
take advantage of the RDP flaw. However, many lines of code, including Auriemma's data packet, later appeared in the exploit
code that was released on Thursday on a Chinese Web site. While
Auriemma admits that it was his data packet that was found online, he
claims no responsibility for the leak.
"No details and proof-of-concept were released by me after the
releasing of the patch," Auriemma wrote. "I was waiting some days
and I was really curious to know who would have been able to spot the
one-day (like a simple poc) first. After all it was the bug and the
challenge of the moment so why [ruin] the party."
He noted that the timing of the leak -- a
mere two days after Microsoft's RDP fix -- and the fact that the code had not been publicly available suggested an internal leak. The leak must have occurred after Microsoft sent
its executable code to its partners to create "antivirus
signatures," Auriemma theorized. Microsoft agreed with that contention.
"The details of the proof-of-concept code appear to match the
vulnerability information shared with Microsoft Active Protections
Program (MAPP) partners," wrote Yunsun
Wee, director of Microsoft's Trustworthy Computing group, in a blog
post on Friday. "Microsoft is actively investigating the disclosure of these
details and will take the necessary actions to protect customers and
ensure that confidential information we share is protected pursuant to
our contracts and program requirements."
Auriemma provided some advice about the RDP flaw and POC exploit,
describing it as a "use-after-free" memory management bug.
While he said his exploit is basic, an experienced hacker would have no
problem turning it into a working attack.
"Having access to the patches already makes it possible to
deduce the vulnerability details via bindiffing (i.e. comparing the
patched binaries to unpatched binaries), but concluding how to trigger
the vulnerability is not always so straight-forward," Auriemma
wrote. "Having a PoC available, obviously, makes this very
It is strongly recommended that those who have not installed
Microsoft's security bulletin MS12-020 fix do so as soon as
possible. And if that's not possible, Microsoft has provided a
workaround in that bulletin.