Microsoft Slams Windows Exploit Code DisclosureLeaked proof-of-concept exploit code would give attackers remote-control access to an unpatched Windows PC.
Windows 8 Beta: Visual Tour (click image for larger view and for slideshow)
Who leaked proof-of-concept exploit code for a recently disclosed Microsoft Windows vulnerability?
Microsoft last Tuesday patched a "critical" vulnerability involving the Remote Desktop Protocol (RDP) in all versions of Windows. Since the bug could be used by attackers to remotely exploit code of their choosing on any vulnerable PC, Microsoft urged users to update their software as quickly as possible--or use a temporary mitigation tool--and warned that it was strongly likely that an exploit targeting the bug (labeled MS12-020) would hit the wild within 30 days.
Just two days later, however, proof-of-concept exploit code appeared in the wild. Already, there's a bounty--now up to $1,500--to see who can be the first to weaponize that code and add it to the popular penetration testing toolkit Metasploit. Sunday, furthermore, an anonymous user posted Metasploit plug-in code to Pastebin, though it's unclear yet whether the code works.
[ Assuming that you're already being attacked is the new mindset in the security industry. See Security's New Reality: Assume The Worst. ]
Last week, as news of the leaked proof-of-concept exploit code surfaced, accusations began flying over who had given would-be attackers a head start. Suspicion quickly fell on the HP TippingPoint Zero Day Initiative (ZDI), which offers bounties for bugs. Timing-wise, Italian security researcher Luigi Auriemma said in a blog post that he discovered the bug in May 2011 and then sold it to ZDI, which verified the flaw and notified Microsoft in August 2011. Auriemma said that he wasn't responsible for the leak.
Likewise, ZDI has been adamant that it didn't leak any information about the vulnerability. "We are 100% confident that the leaked info regarding MS12-020 did not come from the ZDI," said a Twitter post from the Zero Day Initiative. In response to follow-up criticism that there was no way the program could guarantee it hadn't been the source of the leak, ZDI said, "We have confirmation of where it did come from."
Auriemma also defended ZDI, noting that the proof-of-concept (PoC) exploit code that leaked--and which included code that he'd written--had been marked up by Microsoft. "The executable PoC was compiled in November 2011 and contains some debugging strings like MSRC11678 which is a clear reference to the Microsoft Security Response Center," he said. "In short it seems written by Microsoft for the internal tests and was leaked probably during its distribution to their 'partners' ... for the creation of antivirus signatures and so on. The other possible scenario is about a Microsoft employee as direct or indirect source of the leak. The hacker intrusion looks [to be] the less probable scenario at the moment."
By Friday, meanwhile, Microsoft said that it also suspected that the leak had involved the Microsoft Active Protections Program that shares information with security software makers. "The details of the proof-of-concept code appear to match the vulnerability information shared with [MAPP] partners," said Yunsun Wee, director of trustworthy computing for Microsoft, in a blog post. "Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements." In particular, he noted that anyone party to the information would have signed a non-disclosure agreement before being allowed to access the data, suggesting that there could be legal repercussions for whomever leaked the code.
Regardless of how the code leaked, patching the bug--which would give attackers full, remote access to a vulnerable PC--should now be a top IT priority. "Patch now. Now. If you can't, use the mitigation tool that Microsoft is offering--the tradeoff between requiring network authentication and the fairly high risk of RCE [remote-code execution] in the next couple of weeks is worth it," said Kurt Baumgartner, a security researcher at Kaspersky Lab, in a blog post.
The biggest threat to your company's most sensitive data may be the employee who has legitimate access to corporate databases but less-than-legitimate intentions. Follow our advice in our Defend Data From Malicious Insiders report to mitigate the risk. (Free registration required.)