Microsoft has begun probing its own security partner network to find out who, if anyone, leaked exploit code used in the Remote Desktop Protocol (RDP) vulnerability patched this week.
Redmond has sufficient cause for concern: A perfect replica of a custom packet had turned up on a Chinese hacker forum after it was circulated to a series of trusted security companies under the Microsoft Active Protections Program (MAPP) .
|Complete coverage of the RDP vulnerability and exploits|
"Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements," Microsoft Trustworthy Computing director Yunsun Wee said.
The software giant shares vulnerability details with approved software security providers prior to its monthly fixes being released to allow security firms to immediately protect their customers once the patches are delivered
As reported on Friday, researcher Luigi Auriemma who discovered the flaw suspected foul play when he discovered the replica packet.
"It's not a coincidence because the packet I provided was a customised one built on one I captured," Auriemma said in an email. "It's mine, 100 per cent."
He suspected the leaked packet was derived from Microsoft's Proof of Concept (PoC) built for internal tests. The executable "seemed" dated 17 November 2011, he said.
The Chinese PoC contained some debugging strings like 'MSRC11678' that Auriemma said was a "clear reference" to the Microsoft Security Response Center.
Auriemma said the packet was unique not least because the packet was captured during a quick RDP session and modified by hand, and also because the:
- Vulnerability location (maxChannelIds)
- Hostname was changed to "HOST"
- Guide was set to zeroes
- Basic Encoding Rule (BER) numbers were converted from 8 to 32bit for easier debugging and so modifying the fields of the original packet
"In short, it seems written by Microsoft for the internal tests and was leaked probably during its distribution to their partners for the creation of anti-virus signatures and so on," Auriemma wrote on a blog. "The other possible scenario is [that] a Microsoft employee [was] a direct or indirect source of the leak. The hacker intrusion looks the less probable scenario at the moment."
TippingPoint's Zero Day Initiative (ZDI) which first received the bug in May denied leaking the code. ZDI supplied the data to Microsoft in August to develop a fix.
"It's not a problem, I live for full-disclosure," Auriemma said.