Microsoft’s process for sharing information about security vulnerabilities in its products came under fire Friday after a roadmap for exploiting a severe, recently discovered flaw appeared on a hacking website in China.
The guideline, known as “proof-of-concept” code, most likely leaked from one the more than 70 security companies that get advance warnings from the company about major new holes, according to the researcher who found the flaw.
Microsoft said it was investigating the disclosure and “will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements.”
“The details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Program partners,” said Yunsun Wee, Microsoft’s director of its Trustworthy Computing effort.
Announced in 2008, Microsoft’s program alerts security companies to upcoming patches, typically a day before the patches themselves are released. The idea is to give them time to prioritize and test the fixes before installing them to protect their customers.
The timing is essential, because once the patches come out, hackers can reverse-engineer them to figure out what problems they solve, then produce tools to break into unpatched systems. The window from patch release to working hacking code has shrunk from months or weeks to days and in some cases hours.
Participants in the advance-warning program include most of the largest and many smaller security vendors, including some in China. All promise to keep the information secret.
Some security professionals questioned why Microsoft allowed so many into its program, though others said it also would be faulted for hoarding information.
The patches for the new hole were distributed on Tuesday, as part of Microsoft’s regular monthly cycle for security fixes. The hole is a very serious one, because full exploitation would allow an attacker to control machines running Windows XP and later Windows versions that have Remote Desktop Protocol enabled, as long as the network doesn’t demand authentication.
The protocol is off by default but turned on by many corporate technologists, who use it to install new programs or fix problems on employee machines.
The flaw could be used to spread a worm, meaning that it could hop from computer to computer without users making mistakes such as clicking on a tainted email attachment.
Microsoft previously warned companies to install the patches as soon as possible, saying that they expected hacking code to circulate within a month.
The researcher who discovered the flaw in May last year, Italian Luigi Auriemma, first submitted his findings and the proof-of-concept to a security group led by Hewlett-Packard’s TippingPoint. That group tested and vetted the research and passed it on to Microsoft in August so that the company could develop a patch.
Auriemma had been checking to see who would reverse-engineer the patch first, and was startled to find that the first code to circulate was his own.
“If the author of the leak is one of the MAPP partners, it’s the epic fail of the whole system,” Auriemma wrote on his personal blog.
Fortunately, the exploit code Auriemma drafted would only shut a PC down, not hand over control to the attacker. Full exploit code has not been seen yet, but security experts said it would likely come more quickly now that the starting point is in the wild.
“Windows users should consider themselves on high alert and harden their defenses by patching their PCs as soon as possible, before we see this worm turn even more malicious,” Sophos security consultant Graham Cluley wrote on his company’s blog.