Attack Code Leak on the MAPP

Tuesday, March 20, 2012 @ 01:03 PM gHale

The sample attack code created by Microsoft had likely leaked to hackers from a program it runs with antivirus vendors, officials said.

“Details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protection Program (MAPP) partners,” said Yunsun Wee, a director with Microsoft’s Trustworthy Computing group.

Patch Tuesday also Exploit Tuesday
Bounty for Patched RDP Exploit
Microsoft Shuts RDP Hole
Mozilla Firefox 11 Ready to Go

“Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements,” Wee said.

Under MAPP, Microsoft provides select antivirus companies with technical information about bugs before Microsoft patches the flaws. MAPP gives third-party security vendors advance warning so they can craft detection signatures.

Among the things Microsoft shares with MAPP members are “proof-of-concept or repro tools that further illuminate the issue and help with additional protection enhancement.”

Microsoft’s revelation came after claims by Luigi Auriemma, the Italian researcher who reported the vulnerability in Windows Remote Desktop Protocol (RDP) in May 2011.

Auriemma said code found in a proof-of-concept exploit on a Chinese website was identical to what he had provided HP TippingPoint’s Zero Day Initiative (ZDI) bug bounty program. ZDI then used this code to create a working exploit as part of the bounty program’s bug verification work.

ZDI then passed along information about the RDP vulnerability, including the exploit that used Auriemma’s code, to Microsoft.

Auriemma said the public exploit included the string “MSRC11678,” a reference to a Microsoft Security Response Center (MSRC) case number, indicating the leak came from Microsoft.

ZDI denied it had been the source of the leak. “We’re 100% confident that the leak didn’t come from us, and Microsoft is comfortable with us saying that,” Aaron Portnoy, the leader of TippingPoint’s security research team and the head of ZDI.

Portnoy also described the chain of custody of Auriemma’s code — a specially-constructed data packet that triggers the RDP vulnerability — from its May 2011 submission to ZDI to its inclusion in the concept exploit that ZDI provided Microsoft in August 2011 as part of a broader analysis of the vulnerability.

The proof-of-concept exploit now circulating among hackers does not allow remote code execution — necessary to compromise a PC or server, and then plant malware on the system — but instead crashes a vulnerable machine, said Portnoy. The result: The classic Windows “Blue Screen of Death.”

Portnoy also echoed what Microsoft’s Wee said of the similarity between the public exploit and Auriemma’s code. “We can confirm that the executable [exploit] does have a packet that was part of what Luigi gave us,” Portnoy said.

Leave a Reply

You must be logged in to post a comment.