Microsoft security hacking code may have leaked

Microsoft’s process for sharing information about security vulnerabilities in its products came under fire Friday

March 17, 2012
Microsoft Windows

Microsoft’s process for sharing information about security vulnerabilities in its products came under fire Friday after a roadmap for exploiting a severe, recently discovered flaw appeared on a hacking website in China.

The guideline, known as “proof-of-concept” code, most likely leaked from one the more than 70 security companies that get advance warnings from the company about major new holes, according to the researcher who found the flaw.

Microsoft said it was investigating the disclosure and “will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements.”

“The details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Program partners,” said Yunsun Wee, Microsoft’s director of its Trustworthy Computing effort.

Announced in 2008, Microsoft’s program alerts security companies to upcoming patches, typically a day before the patches themselves are released. The idea is to give them time to prioritize and test the fixes before installing them to protect their customers.

The timing is essential, because once the patches come out, hackers can reverse-engineer them to figure out what problems they solve, then produce tools to break into unpatched systems. The window from patch release to working hacking code has shrunk from months or weeks to days and in some cases hours.

Participants in the advance-warning program include most of the largest and many smaller security vendors, including some in China. All promise to keep the information secret.

Some security professionals questioned why Microsoft allowed so many into its program, though others said it also would be faulted for hoarding information.

The patches for the new hole were distributed on Tuesday, as part of Microsoft’s regular monthly cycle for security fixes. The hole is a very serious one, because full exploitation would allow an attacker to control machines running Windows XP and later Windows versions that have Remote Desktop Protocol enabled, as long as the network doesn’t demand authentication.

The protocol is off by default but turned on by many corporate technologists, who use it to install new programs or fix problems on employee machines.

The flaw could be used to spread a worm, meaning that it could hop from computer to computer without users making mistakes such as clicking on a tainted email attachment.

Microsoft previously warned companies to install the patches as soon as possible, saying that they expected hacking code to circulate within a month.

The researcher who discovered the flaw in May last year, Italian Luigi Auriemma, first submitted his findings and the proof-of-concept to a security group led by Hewlett-Packard’s TippingPoint. That group tested and vetted the research and passed it on to Microsoft in August so that the company could develop a patch.

Auriemma had been checking to see who would reverse-engineer the patch first, and was startled to find that the first code to circulate was his own.

“If the author of the leak is one of the MAPP partners, it’s the epic fail of the whole system,” Auriemma wrote on his personal blog.

Fortunately, the exploit code Auriemma drafted would only shut a PC down, not hand over control to the attacker. Full exploit code has not been seen yet, but security experts said it would likely come more quickly now that the starting point is in the wild.

“Windows users should consider themselves on high alert and harden their defenses by patching their PCs as soon as possible, before we see this worm turn even more malicious,” Sophos security consultant Graham Cluley wrote on his company’s blog.

Tags: Active, Microsoft, Microsoft Active Protections Program

Free Email Newsletter:
Subscribe

Shutterstock is the image partner of MyBroadband – technology images can be found here

Join the conversation

Connect with MyBB

twitterfacebookandroidappleblackberrynewsletterfeed

Poll

Will you subscribe to Telkom’s 100Mbps fibre service if it is available in your area?

View Results

Loading ... Loading ...

More News

ISPs to clamp down on torrenting

BitTorrent binary with sine graph

Uncapped ADSL users should expect even tighter restrictions on torrenting in the future, some ISPs have warned

Sanral won’t present to e-toll panel

E-toll panel

The SA National Roads Agency Limited will not make representations to the advisory panel on e-tolls and their socio-economic impact, it said on Tuesday

Nathi Mthethwa does not have Facebook

Facebook

Arts and Culture Minister Nathi Mthethwa on Tuesday distanced himself from a Facebook profile purporting to be him

Telkom home fibre priced as premium service

IT Money

While no specific pricing is yet available for home fibre, Telkom’s chief operating officer has given some indication of what to expect

Free MyBroadband Newsletter:
Subscribe
X
bool(true)