09:29 AM

Microsoft Slams Windows Exploit Code Disclosure

Leaked proof-of-concept exploit code would give attackers remote-control access to an unpatched Windows PC.

Windows 8 Beta: Visual Tour
Windows 8 Beta: Visual Tour
(click image for larger view and for slideshow)
Who leaked proof-of-concept exploit code for a recently disclosed Microsoft Windows vulnerability?

Microsoft last Tuesday patched a "critical" vulnerability involving the Remote Desktop Protocol (RDP) in all versions of Windows. Since the bug could be used by attackers to remotely exploit code of their choosing on any vulnerable PC, Microsoft urged users to update their software as quickly as possible--or use a temporary mitigation tool--and warned that it was strongly likely that an exploit targeting the bug (labeled MS12-020) would hit the wild within 30 days.

Just two days later, however, proof-of-concept exploit code appeared in the wild. Already, there's a bounty--now up to $1,500--to see who can be the first to weaponize that code and add it to the popular penetration testing toolkit Metasploit. Sunday, furthermore, an anonymous user posted Metasploit plug-in code to Pastebin, though it's unclear yet whether the code works.

[ Assuming that you're already being attacked is the new mindset in the security industry. See Security's New Reality: Assume The Worst. ]

Last week, as news of the leaked proof-of-concept exploit code surfaced, accusations began flying over who had given would-be attackers a head start. Suspicion quickly fell on the HP TippingPoint Zero Day Initiative (ZDI), which offers bounties for bugs. Timing-wise, Italian security researcher Luigi Auriemma said in a blog post that he discovered the bug in May 2011 and then sold it to ZDI, which verified the flaw and notified Microsoft in August 2011. Auriemma said that he wasn't responsible for the leak.

Likewise, ZDI has been adamant that it didn't leak any information about the vulnerability. "We are 100% confident that the leaked info regarding MS12-020 did not come from the ZDI," said a Twitter post from the Zero Day Initiative. In response to follow-up criticism that there was no way the program could guarantee it hadn't been the source of the leak, ZDI said, "We have confirmation of where it did come from."

Auriemma also defended ZDI, noting that the proof-of-concept (PoC) exploit code that leaked--and which included code that he'd written--had been marked up by Microsoft. "The executable PoC was compiled in November 2011 and contains some debugging strings like MSRC11678 which is a clear reference to the Microsoft Security Response Center," he said. "In short it seems written by Microsoft for the internal tests and was leaked probably during its distribution to their 'partners' ... for the creation of antivirus signatures and so on. The other possible scenario is about a Microsoft employee as direct or indirect source of the leak. The hacker intrusion looks [to be] the less probable scenario at the moment."

By Friday, meanwhile, Microsoft said that it also suspected that the leak had involved the Microsoft Active Protections Program that shares information with security software makers. "The details of the proof-of-concept code appear to match the vulnerability information shared with [MAPP] partners," said Yunsun Wee, director of trustworthy computing for Microsoft, in a blog post. "Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements." In particular, he noted that anyone party to the information would have signed a non-disclosure agreement before being allowed to access the data, suggesting that there could be legal repercussions for whomever leaked the code.

Regardless of how the code leaked, patching the bug--which would give attackers full, remote access to a vulnerable PC--should now be a top IT priority. "Patch now. Now. If you can't, use the mitigation tool that Microsoft is offering--the tradeoff between requiring network authentication and the fairly high risk of RCE [remote-code execution] in the next couple of weeks is worth it," said Kurt Baumgartner, a security researcher at Kaspersky Lab, in a blog post.

The biggest threat to your company's most sensitive data may be the employee who has legitimate access to corporate databases but less-than-legitimate intentions. Follow our advice in our Defend Data From Malicious Insiders report to mitigate the risk. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/21/2012 | 10:24:31 PM
re: Microsoft Slams Windows Exploit Code Disclosure
This is what I consider the cost of doing business with Microsoft. Get exploited systems, reboot critical systems at least once a month, get 'enterprise' apps that crash and leak memory like there is no tomorrow - and pay dearly for it while Microsoft gives crap about it all. Dear IT managers, CIOs, and CTOs, why the heck to you keep buying Microsoft?
Andrew Hornback
Andrew Hornback,
User Rank: Apprentice
3/20/2012 | 2:00:09 AM
re: Microsoft Slams Windows Exploit Code Disclosure
Is anyone else here distressed about the timeline of these events?

Bug discovered in May 2011 (10 months ago)
Bug verified and notification delivered to Microsoft in August 2011 (7 months ago)
Microsoft develops an exploit of this bug to test with in Novermber 2011 (4 months ago)
Microsoft releases patch in March 2012.

So, for 10 months (or longer), it's possible that this bug could have been exploited without any form of remediation? Given the list of operating systems that are affected by this bug (anything you could find on a Wintel system since roughly 2002, and possibly before that since there's no mention of Windows 2000), and the criticality of this sort of bug if it were exploited, that's worrysome for me as an IT professional.

I think the big thing that a lot of CIOs out there that lean heavily on Microsoft's products in their organization are asking is "What needs to happen at Microsoft to accelerate the remediation process when a problem of this size gets put on their radar?"

Andrew Hornback
InformationWeek Contributor
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/14/2018
IoT Product Safety: If It Appears Too Good to Be True, It Probably Is
Pat Osborne, Principal - Executive Consultant at Outhaul Consulting, LLC, & Cybersecurity Advisor for the Security Innovation Center,  3/12/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.