Risk
3/19/2012
09:29 AM
50%
50%

Microsoft Slams Windows Exploit Code Disclosure

Leaked proof-of-concept exploit code would give attackers remote-control access to an unpatched Windows PC.

Windows 8 Beta: Visual Tour
Windows 8 Beta: Visual Tour
(click image for larger view and for slideshow)
Who leaked proof-of-concept exploit code for a recently disclosed Microsoft Windows vulnerability?

Microsoft last Tuesday patched a "critical" vulnerability involving the Remote Desktop Protocol (RDP) in all versions of Windows. Since the bug could be used by attackers to remotely exploit code of their choosing on any vulnerable PC, Microsoft urged users to update their software as quickly as possible--or use a temporary mitigation tool--and warned that it was strongly likely that an exploit targeting the bug (labeled MS12-020) would hit the wild within 30 days.

Just two days later, however, proof-of-concept exploit code appeared in the wild. Already, there's a bounty--now up to $1,500--to see who can be the first to weaponize that code and add it to the popular penetration testing toolkit Metasploit. Sunday, furthermore, an anonymous user posted Metasploit plug-in code to Pastebin, though it's unclear yet whether the code works.

[ Assuming that you're already being attacked is the new mindset in the security industry. See Security's New Reality: Assume The Worst. ]

Last week, as news of the leaked proof-of-concept exploit code surfaced, accusations began flying over who had given would-be attackers a head start. Suspicion quickly fell on the HP TippingPoint Zero Day Initiative (ZDI), which offers bounties for bugs. Timing-wise, Italian security researcher Luigi Auriemma said in a blog post that he discovered the bug in May 2011 and then sold it to ZDI, which verified the flaw and notified Microsoft in August 2011. Auriemma said that he wasn't responsible for the leak.

Likewise, ZDI has been adamant that it didn't leak any information about the vulnerability. "We are 100% confident that the leaked info regarding MS12-020 did not come from the ZDI," said a Twitter post from the Zero Day Initiative. In response to follow-up criticism that there was no way the program could guarantee it hadn't been the source of the leak, ZDI said, "We have confirmation of where it did come from."

Auriemma also defended ZDI, noting that the proof-of-concept (PoC) exploit code that leaked--and which included code that he'd written--had been marked up by Microsoft. "The executable PoC was compiled in November 2011 and contains some debugging strings like MSRC11678 which is a clear reference to the Microsoft Security Response Center," he said. "In short it seems written by Microsoft for the internal tests and was leaked probably during its distribution to their 'partners' ... for the creation of antivirus signatures and so on. The other possible scenario is about a Microsoft employee as direct or indirect source of the leak. The hacker intrusion looks [to be] the less probable scenario at the moment."

By Friday, meanwhile, Microsoft said that it also suspected that the leak had involved the Microsoft Active Protections Program that shares information with security software makers. "The details of the proof-of-concept code appear to match the vulnerability information shared with [MAPP] partners," said Yunsun Wee, director of trustworthy computing for Microsoft, in a blog post. "Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements." In particular, he noted that anyone party to the information would have signed a non-disclosure agreement before being allowed to access the data, suggesting that there could be legal repercussions for whomever leaked the code.

Regardless of how the code leaked, patching the bug--which would give attackers full, remote access to a vulnerable PC--should now be a top IT priority. "Patch now. Now. If you can't, use the mitigation tool that Microsoft is offering--the tradeoff between requiring network authentication and the fairly high risk of RCE [remote-code execution] in the next couple of weeks is worth it," said Kurt Baumgartner, a security researcher at Kaspersky Lab, in a blog post.

The biggest threat to your company's most sensitive data may be the employee who has legitimate access to corporate databases but less-than-legitimate intentions. Follow our advice in our Defend Data From Malicious Insiders report to mitigate the risk. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
YMOM100
50%
50%
YMOM100,
User Rank: Apprentice
3/21/2012 | 10:24:31 PM
re: Microsoft Slams Windows Exploit Code Disclosure
This is what I consider the cost of doing business with Microsoft. Get exploited systems, reboot critical systems at least once a month, get 'enterprise' apps that crash and leak memory like there is no tomorrow - and pay dearly for it while Microsoft gives crap about it all. Dear IT managers, CIOs, and CTOs, why the heck to you keep buying Microsoft?
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
3/20/2012 | 2:00:09 AM
re: Microsoft Slams Windows Exploit Code Disclosure
Is anyone else here distressed about the timeline of these events?

Bug discovered in May 2011 (10 months ago)
Bug verified and notification delivered to Microsoft in August 2011 (7 months ago)
Microsoft develops an exploit of this bug to test with in Novermber 2011 (4 months ago)
Microsoft releases patch in March 2012.

So, for 10 months (or longer), it's possible that this bug could have been exploited without any form of remediation? Given the list of operating systems that are affected by this bug (anything you could find on a Wintel system since roughly 2002, and possibly before that since there's no mention of Windows 2000), and the criticality of this sort of bug if it were exploited, that's worrysome for me as an IT professional.

I think the big thing that a lot of CIOs out there that lean heavily on Microsoft's products in their organization are asking is "What needs to happen at Microsoft to accelerate the remediation process when a problem of this size gets put on their radar?"

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

CVE-2014-8711
Published: 2014-11-22
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?