Microsoft probes security partners for RDP leak

Microsoft has begun probing its security partner network to find out who, if anyone, leaked exploit code pertaining to the Remote Desktop Protocol (RDP) vulnerability patched last week.

The RDP bug enables an attacker to access and install malicious code on any machines useing RDP without network-level authentication enabled.

A perfect replica of a custom packet was discovered on a Chinese hacker forum this month, after it was circulated to a series of trusted security companies under the Microsoft Active Protections Program (MAPP) .

Microsoft typically shares vulnerability details with approved software security providers before releasing its monthly fixes to allow those providers to immediately protect their customers once the patches are delivered.

According to Microsoft Trustworthy Computing director Yunsun Wee, the company was "actively investigating the disclosure of these details"

"[Microsoft] will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements," Wee wrote.

Microsoft warned that a successful exploit was likely to emerge within a month because of "the attractiveness" of the vulnerability to criminals.

Security experts are particularly concerned about the flaw because it affects all Windows versions and could give rise to a worm like the Morto worm, which infected machines last August.

The RDP flaw was first discovered by researcher Luigi Auriemma, who suspected the leaked packet was derived from a proof of concept exploit built by Microsoft for internal tests.

The Chinese replica contained some debugging strings like 'MSRC11678' that Auriemma said was a "clear reference" to the Microsoft Security Response Center.

Auriemma said the packet was unique not least because the packet was captured during a quick RDP session and modified by hand, and also because:

• Hostname was changed to "HOST"
• Guide was set to zeroes
• Vulnerability location (maxChannelIds)
• Basic Encoding Rule (BER) numbers were converted from eight to 32bit for easier debugging and so modifying the fields of the original packet

"In short, it seems written by Microsoft for the internal tests and was leaked probably during its distribution to their partners for the creation of anti-virus signatures and so on," Auriemma wrote on a blog.

"The other possible scenario is [that] a Microsoft employee [was] a direct or indirect source of the leak. The hacker intrusion looks the less probable scenario at the moment."

TippingPoint's Zero Day Initiative (ZDI) which first received the bug in May denied leaking the code. ZDI supplied the data to Microsoft in August to develop a fix.

"It's not a problem, I live for full-disclosure," Auriemma said.

Copyright © SC Magazine, Australia