Chinese firm leaked RDP exploit code

Powered by SC Magazine
 

Vulnerability sharing programs called into question.

A Chinese security firm was named responsible for the leak of Remote Desktop Protocol (RDP) exploit code and has been booted from Microsoft's vulnerability-sharing program.

Hangzhou DPTech Technologies Co, a specialist in firewalls and intrusion prevention systems, breached its non-disclosure contract with the Microsoft Active Protections Program (MAPP) by leaking the dangerous code.

Complete RDP vulnerability coverage


Under MAPP, Microsoft shares vulnerability details with approved software security providers prior to its monthly fixes being released to allow security firms to immediately protect their customers once the patches are delivered.

Specifically MAPP provides its partners with a comprehensive explanation of the vulnerability, a blueprint to trigger the flaw, information on how to detect the bug and a proof-of-concept file.

The vulnerability in question, a "wormable" weakness in the Windows RDP, was discovered in May 2011 by researcher Luigi Auriemma, who reported his find to TippingPoint's Zero Day Initiative (ZDI) bug bounty service.

It was handed in August to Microsoft to develop a fix.

In March, Microsoft released a patch that came with a warning that the software giant expected to see a code-execution exploit released within 30 days.

It took about two days for a proof-of concept (PoC) to appear on a Chinese hacker site. No known remote exploit has been released.

Upon investigation, Auriemma discovered many similarities between the published PoC and the one that he sent ZDI so the service could test the vulnerability.

As further proof, the posted code appeared modelled after the PoC that Microsoft developed in November for internal tests, and which, he concluded, was likely distributed to partners as part of the MAPP.

"[The PoC published on the Chinese site] contains some debugging strings like 'MSRC11678' which is a clear reference to the Microsoft Security Response Center," Auriemma said.

Based on the evidence, Auriemma determined that those responsible for creating the publicly available PoC were the beneficiaries of a leak.

As it turned out, he was right. Now, Microsoft plans to tighten the security controls around the MAPP, though it wouldn't elaborate.

MAPP  team manager Maarten Van Horenbeeck said Microsoft took careful steps to ensure incidents like this rarely occurred.

"We recognise that there is the potential for vulnerability information to be misused," he said.

"In order to limit this as much as possible, we have strong non-disclosure agreements (NDA) with our partners. Microsoft takes breaches of its  NDAs very seriously. In addition, we make sure to only release data shortly in advance of the security update.

"Today, we send MAPP data to our partners just as far in advance as they need to get that work done."

A Microsoft spokeswoman could not immediately be reached for comment. An email sent to DPTech for comment was not immediately returned.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Chinese firm leaked RDP exploit code
 
 
 
Top Stories
Photos: iTnews Benchmark Awards countdown begins
Just a few days left until entries close for 2014.
 
Australian Govt to rethink cyber security strategy
Six-year old policy to be refreshed.
 
The failure of the antivirus industry
[Blog post] Insights from AVAR 2014.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
More 4G from Optus in Darwin
Nov 21, 2014
Click to see where Optus has expanded coverage to the suburbs near Darwin.
Optus steps up regional 4G coverage
Nov 20, 2014
Once 700Mhz services are working, Optus claims regional users will have a "faster and more ...
This Huawei 4G phone costs $99
Nov 12, 2014
The $99 Huawei Ascend Y550, available through Vodafone, enters the budget market as one of the ...
4G smartphones: Microsoft's Lumia 830
Nov 7, 2014
Microsoft has announced its flagship Windows Phone, the Nokia Lumia 830 4G, will be available in ...
Do you direct debit customers? Read this
Oct 10, 2014
Authorities have been targeting direct debit practices with iiNet and Dodo receiving formal ...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  38%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  5%
TOTAL VOTES: 1059

Vote