News

Microsoft program breach led to early RDP vulnerability exploit

Robert Westervelt

A China-based security firm was responsible for leaking data from the Microsoft Active Protections Program, which prompted the creation of an exploit targeting a Windows Remote Desktop Protocol (RDP) vulnerability

Requires Free Membership to View

that was patched in March.

Microsoft takes breaches of our NDAs very seriously and has removed this partner from the MAPP Program.

Yunsun Wee, Microsoft Trustworthy Computing

The software giant said Hangzhou DPTech Technologies Co., Ltd., breached the terms of its non-disclosure agreement under the MAPP program when it leaked information about the vulnerability ahead of the patch release. Security vendors that are members of Microsoft’s trusted MAPP program receive vulnerability data and patching information before the public to give engineers time to develop protections for their security products. 

“Microsoft takes breaches of our NDAs very seriously and has removed this partner from the MAPP Program,” wrote Yunsun Wee of Microsoft Trustworthy Computing, in an announcement about the leak in the Microsoft Security Response Center blog.

Proof-of-concept code targeting the Microsoft RDP vulnerability surfaced on several Chinese websites only days after the March 2012 Patch Tuesday release. Almost immediately, security researchers suspected the code that surfaced could have come from data issued to members of the MAPP program.

Luigi Auriemma, an independent researcher who discovered the Microsoft RDP vulnerability, noted that the proof-of-concept exploits he examined appeared to use the same coding he sent to the TippingPoint Zero Day Initiative. The exploit made a Windows system crash, and although experts warned it was a step closer to creating a network worm, there have been no reports of a worm targeting the RDP flaw.

Microsoft unveiled its MAPP program in 2008 with a variety of changes to its patching program. The MAPP program is used by security vendors to add protections against attacks targeting new Microsoft vulnerabilities into intrusion defense and other security systems. Microsoft tells members of the partner program how to detect and exploit the vulnerability. It also provides proof-of-concept code that can trigger the flaw.

Wee said Microsoft strengthened its existing controls for the program and took actions to better protect its information. “We believe these enhancements will better protect our information, while furthering customer protection by aiding partners developing active protections,” Wee wrote.