Microsoft security hacking code may have leaked

Microsoft’s process for sharing information about security vulnerabilities in its products came under fire Friday

By - March 17, 2012 Share on LinkedIn
Microsoft Windows

Microsoft’s process for sharing information about security vulnerabilities in its products came under fire Friday after a roadmap for exploiting a severe, recently discovered flaw appeared on a hacking website in China.

The guideline, known as “proof-of-concept” code, most likely leaked from one the more than 70 security companies that get advance warnings from the company about major new holes, according to the researcher who found the flaw.

Microsoft said it was investigating the disclosure and “will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements.”

“The details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Program partners,” said Yunsun Wee, Microsoft’s director of its Trustworthy Computing effort.

Announced in 2008, Microsoft’s program alerts security companies to upcoming patches, typically a day before the patches themselves are released. The idea is to give them time to prioritize and test the fixes before installing them to protect their customers.

The timing is essential, because once the patches come out, hackers can reverse-engineer them to figure out what problems they solve, then produce tools to break into unpatched systems. The window from patch release to working hacking code has shrunk from months or weeks to days and in some cases hours.

Participants in the advance-warning program include most of the largest and many smaller security vendors, including some in China. All promise to keep the information secret.

Some security professionals questioned why Microsoft allowed so many into its program, though others said it also would be faulted for hoarding information.

The patches for the new hole were distributed on Tuesday, as part of Microsoft’s regular monthly cycle for security fixes. The hole is a very serious one, because full exploitation would allow an attacker to control machines running Windows XP and later Windows versions that have Remote Desktop Protocol enabled, as long as the network doesn’t demand authentication.

The protocol is off by default but turned on by many corporate technologists, who use it to install new programs or fix problems on employee machines.

The flaw could be used to spread a worm, meaning that it could hop from computer to computer without users making mistakes such as clicking on a tainted email attachment.

Microsoft previously warned companies to install the patches as soon as possible, saying that they expected hacking code to circulate within a month.

The researcher who discovered the flaw in May last year, Italian Luigi Auriemma, first submitted his findings and the proof-of-concept to a security group led by Hewlett-Packard’s TippingPoint. That group tested and vetted the research and passed it on to Microsoft in August so that the company could develop a patch.

Auriemma had been checking to see who would reverse-engineer the patch first, and was startled to find that the first code to circulate was his own.

“If the author of the leak is one of the MAPP partners, it’s the epic fail of the whole system,” Auriemma wrote on his personal blog.

Fortunately, the exploit code Auriemma drafted would only shut a PC down, not hand over control to the attacker. Full exploit code has not been seen yet, but security experts said it would likely come more quickly now that the starting point is in the wild.

“Windows users should consider themselves on high alert and harden their defenses by patching their PCs as soon as possible, before we see this worm turn even more malicious,” Sophos security consultant Graham Cluley wrote on his company’s blog.

Share your thoughts

Shutterstock is the image partner of MyBroadband – more technology images

Join the conversation

Connect with Us



Which technology do you use for your primary home Internet connection?

View Results

Loading ... Loading ...

More News

The best ADSL service provider in South Africa

South Africa ISPs

The latest MyBroadband survey results reveal which ADSL ISP in South Africa has the most loyal customers.

This is the number Sanral should be reporting: Outa

E-Toll logo

Outa has rubbished Sanral’s claims that there is a rush of motorists taking up the 60% e-toll discount.

KwaZulu-Natal taxi drivers march against Uber

Uber logo on bag

An estimated 300 metered taxi drivers and owners marched to the Durban City Hall on Thursday to complain about Uber.

Alienware coming back to South Africa

Alienware 15 with graphics amplifier

Pinnacle has been appointed the sole distributor of Alienware products in Southern Africa.


Newsletter Subscription

Email *
Enter the following to confirm your subscription *
Captcha image

Free MyBroadband Newsletter