News

Windows RDP Exploit Code Possibly Leaked by Microsoft Partner

Hackers may have had the jump on Microsoft even as it released a "critical" patch for a Windows Remote Desktop Protocol (RDP) flaw in this month's security update.

A researcher noted that the timing of the release of some proof-of-concept (POC) code, which had not been publicly available, suggests an internal leak. The appearance of that code in the wild a mere two days after Microsoft's RDP fix offers a clue.

Italian security researcher Luigi Auriemma, who discovered the Windows Remote Desktop Protocol (RDP) flaw, explained this scenario in a blog post last week. He originally had sold his POC code to Hewlett-Packard in May of 2011 as part of HP's TippingPoint's Zero Day Initiative program. HP subsequently turned it over to Microsoft in June of that same year.

Microsoft modified his data packet into executable code that could take advantage of the RDP flaw in November. However, many lines of code -- including Auriemma's data packet -- later appeared in the exploit code that was released on Thursday on a Chinese Web site. While Auriemma admits that it was his data packet that was found online, he claims no responsibility for the leak.

"No details and proof-of-concept were released by me after the releasing of the patch," he wrote. "I was waiting some days and I was really curious to know who would have been able to spot the one-day (like a simple poc) first. After all it was the bug and the challenge of the moment so why [ruin] the party."

He theorized that the leak must have occurred after Microsoft sent its executable code to its partners to create "antivirus signatures." Microsoft agrees with that contention.

"The details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Program (MAPP) partners," wrote Yunsun Wee, director of Microsoft's Trustworthy Computing group, in a blog post. "Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements."

Auriemma provided some advice about the RDP flaw and POC exploit, describing it as a "use-after-free" memory management bug. While he said his exploit is basic, an experienced hacker would have no problem turning it into a working attack.

"Having access to the patches already makes it possible to deduce the vulnerability details via bindiffing (i.e. comparing the patched binaries to unpatched binaries), but concluding how to trigger the vulnerability is not always so straight-forward," Auriemma wrote. "Having a PoC available, obviously, makes this very clear."

It is strongly recommended that those who have not installed Microsoft's security bulletin MS12-020 fix do so as soon as possible. And if that's not possible, Microsoft has provided a workaround in that bulletin.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • Gears

    Top 10 Microsoft Tips and Analyses of 2018

    Here are the year's most popular explainers and how-to columns -- along with some plain, old "Why did Microsoft do that?" musings thrown in.

  • Sign

    2018 Microsoft Predictions Revisited

    From guessing the fate of Windows 10 S to predicting Microsoft's next big move with Linux, Brien's predictions from a year ago were on the mark more than they weren't.

  • Microsoft Recaps Delivery Optimization Bandwidth Controls for Organizations

    Microsoft expects organizations using its Delivery Optimization peer-to-peer update scheme will optimally see 60 percent to 70 percent improvements in terms of network bandwidth use.

  • Getting a Handle on Hyper-V Virtual NICs

    Hyper-V usually makes it easy to configure virtual network adapters within VMs. That is, until you need to create a VM containing multiple virtual NICs.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.