ID: IRCNE2012031438
Date: 2012-03-17
Chinese hackers have released proof-of-concept code that provides a roadmap to exploit a dangerous RDP (remote desktop protocol) vulnerability that was patched by Microsoft earlier this week.
The publication of the code on a Chinese language forum heightens the urgency to apply Microsoft’s MS12-020 update, which addresses a remote, pre-authentication, network-accessible code execution vulnerability in Microsoft’s implementation of the RDP protocol.
It also sets of alarm bells in the corridors at Redmond because there are clear signs that Microsoft’s pre-patch vulnerability sharing program has been breached or has suffered a major leak.
The program, called MAPP (Microsoft Active Protections Program), provides vulnerability data and triggers to anti-virus, intrusion prevention/detection and corporate network security vendors about 24 hours before the patch is released. The program provides detection guidance ahead of time to help security vendors reproduce the vulnerabilities and ship signatures and detection capabilities without false positives.
Microsoft says it has strict guidelines to ensure the data doesn’t fall into the wrong hands but, in this case, my sources tell me the Chinese hackers had access to MAPP information even before the patch was released.
Microsoft has confirmed that an embarrassing leak within the Microsoft Active Protections Program (MAPP) has led to the publication of proof-of-concept code for a serious security hole in all versions of Windows.
The company said:
“The details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Program (MAPP) partners. Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements.”
According to Yunsun Wee, a director in Microsoft’s Trustworthy Computing group, the public proof-of-concept code results only in denial-of-service crashes against unpatched Windows systems and they are not aware of public proof-of-concept code that results in remote code execution.
Micorosft recommend customers deploy MS12-020 as soon as possible. The company did not address details of the MAPP leak.
Related Links:
Expect exploits for critical Windows worm hole
- 4