Microsoft security hacking code may have leaked

Microsoft’s process for sharing information about security vulnerabilities in its products came under fire Friday

March 17, 2012
Microsoft Windows

Microsoft’s process for sharing information about security vulnerabilities in its products came under fire Friday after a roadmap for exploiting a severe, recently discovered flaw appeared on a hacking website in China.

The guideline, known as “proof-of-concept” code, most likely leaked from one the more than 70 security companies that get advance warnings from the company about major new holes, according to the researcher who found the flaw.

Microsoft said it was investigating the disclosure and “will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements.”

“The details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Program partners,” said Yunsun Wee, Microsoft’s director of its Trustworthy Computing effort.

Announced in 2008, Microsoft’s program alerts security companies to upcoming patches, typically a day before the patches themselves are released. The idea is to give them time to prioritize and test the fixes before installing them to protect their customers.

The timing is essential, because once the patches come out, hackers can reverse-engineer them to figure out what problems they solve, then produce tools to break into unpatched systems. The window from patch release to working hacking code has shrunk from months or weeks to days and in some cases hours.

Participants in the advance-warning program include most of the largest and many smaller security vendors, including some in China. All promise to keep the information secret.

Some security professionals questioned why Microsoft allowed so many into its program, though others said it also would be faulted for hoarding information.

The patches for the new hole were distributed on Tuesday, as part of Microsoft’s regular monthly cycle for security fixes. The hole is a very serious one, because full exploitation would allow an attacker to control machines running Windows XP and later Windows versions that have Remote Desktop Protocol enabled, as long as the network doesn’t demand authentication.

The protocol is off by default but turned on by many corporate technologists, who use it to install new programs or fix problems on employee machines.

The flaw could be used to spread a worm, meaning that it could hop from computer to computer without users making mistakes such as clicking on a tainted email attachment.

Microsoft previously warned companies to install the patches as soon as possible, saying that they expected hacking code to circulate within a month.

The researcher who discovered the flaw in May last year, Italian Luigi Auriemma, first submitted his findings and the proof-of-concept to a security group led by Hewlett-Packard’s TippingPoint. That group tested and vetted the research and passed it on to Microsoft in August so that the company could develop a patch.

Auriemma had been checking to see who would reverse-engineer the patch first, and was startled to find that the first code to circulate was his own.

“If the author of the leak is one of the MAPP partners, it’s the epic fail of the whole system,” Auriemma wrote on his personal blog.

Fortunately, the exploit code Auriemma drafted would only shut a PC down, not hand over control to the attacker. Full exploit code has not been seen yet, but security experts said it would likely come more quickly now that the starting point is in the wild.

“Windows users should consider themselves on high alert and harden their defenses by patching their PCs as soon as possible, before we see this worm turn even more malicious,” Sophos security consultant Graham Cluley wrote on his company’s blog.

Tags: Active, Microsoft, Microsoft Active Protections Program

Free Email Newsletter:

Shutterstock is the image partner of MyBroadband – technology images can be found here

Join the conversation

Connect with MyBB



What is your preferred mobile platform?

View Results

Loading ... Loading ...

More News

Tor users attacked, possibly monitored

Hacker data

Tor, the Internet privacy protecting service, said it had discovered a compromise on its network that indicated somebody was trying to monitor the activity of its users

Suspended Telkom CFO hearing set for August

Jacques schindehutte

Suspended Telkom CFO Jacques Schindehütte will face a disciplinary hearing on a matter of personal misconduct in August.

TVs that cost the same as a Porsche 911

LG 105-inch curved LED 105UB9

The new LG and Samsung curved Ultra HD televisions will cost you more than R1.2 million – the same price as a Porsche 911

Eskom electricity price hike


Consumers will see an additional electricity price hike next year after Nersa announced it had approved the regulatory clearing account for Eskom

Free MyBroadband Newsletter: