Microsoft has begun probing its security partner network to find out who, if anyone, leaked exploit code pertaining to the Remote Desktop Protocol (RDP) vulnerability patched last week.
The RDP bug enables an attacker to access and install malicious code on any machines useing RDP without network-level authentication enabled.
A perfect replica of a custom packet was discovered on a Chinese hacker forum this month, after it was circulated to a series of trusted security companies under the Microsoft Active Protections Program (MAPP) .
Microsoft typically shares vulnerability details with approved software security providers before releasing its monthly fixes to allow those providers to immediately protect their customers once the patches are delivered.
According to Microsoft Trustworthy Computing director Yunsun Wee, the company was "actively investigating the disclosure of these details"
"[Microsoft] will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements," Wee wrote.
Microsoft warned that a successful exploit was likely to emerge within a month because of "the attractiveness" of the vulnerability to criminals.
Security experts are particularly concerned about the flaw because it affects all Windows versions and could give rise to a worm like the Morto worm, which infected machines last August.
The RDP flaw was first discovered by researcher Luigi Auriemma, who suspected the leaked packet was derived from a proof of concept exploit built by Microsoft for internal tests.
The Chinese replica contained some debugging strings like 'MSRC11678' that Auriemma said was a "clear reference" to the Microsoft Security Response Center.
Auriemma said the packet was unique not least because the packet was captured during a quick RDP session and modified by hand, and also because:
"In short, it seems written by Microsoft for the internal tests and was leaked probably during its distribution to their partners for the creation of anti-virus signatures and so on," Auriemma wrote on a blog.
"The other possible scenario is [that] a Microsoft employee [was] a direct or indirect source of the leak. The hacker intrusion looks the less probable scenario at the moment."
TippingPoint's Zero Day Initiative (ZDI) which first received the bug in May denied leaking the code. ZDI supplied the data to Microsoft in August to develop a fix.
"It's not a problem, I live for full-disclosure," Auriemma said.
Copyright © SC Magazine, Australia
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @itnews.com.au to your white-listed senders.