By Steve Elwart
Chinese hackers apparently gained access to information about vulnerabilities in Microsoft’s operating systems before a company patch was released, and security researchers are worried the leak came directly from Microsoft’s secured website.
The Microsoft Security Response Center states the Microsoft Active Protections Program is a program for security software providers that “gives members a head start to reproduce the vulnerabilities and program [anti-hacking] tools in advance of Microsoft’s official security updates.”
The site states, “The amount of time between the release of a Microsoft security update and the release of exploit code (vulnerability) for that update continues to shorten. MAPP gives security software providers early access to vulnerability information.”
On March 13, Microsoft issued critical security update MS12-020 for its Windows operating systems.
The update fixed two security holes in what is known as the Remote Desktop Protocol, which allows a user to access another computer over a local network or the Internet. The security hole would allow a hacker to take over a computer and run programs from it.
Just two days later, Microsoft issued a warning from a member of MAPP that a “proof-of-concept” code was posted for public use. The code would start a denial of service attack (DoS) on the Internet.
The code indicated that it was taken directly off the MAPP website and was quickly released on a Chinese-language forum.
According to Microsoft:
The details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Program (MAPP) partners. Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements.
According to Yunsun Wee, a director in Trustworthy Computing group and MAPP member, the public proof-of-concept code results in denial of-service crashes only against unpatched Windows systems.
It appears that first person to find the rogue code posting was security researcher Luigi Auriemma, a member of the Autistici/Inventati Network. Auriemma previously has released proof of concept code for 34 vulnerabilities affecting popular systems. The majority of the vulnerabilities allow remote code execution on Internet-connected systems, with the remaining giving access to stored information.
Auriemma said the packet stored in the Chinese proof-of-concept code was the “exact one” he provided to TippingPoint ZDI (Zero Day Initiative), the company that paid Auriemma for the information. Cyber security blogs and chat rooms were buzzing with news of the Chinese hack.
Microsoft’s Security Response Center responded with the following statement: “We continue to watch the threat landscape and we are not aware of public proof-of-concept code that results in remote code execution. … We recommend customers deploy MS12-020 as soon as possible, as this security update protects against attempts to exploit CVE-2012-0002. Additionally we have offered a one-click Fix It to help mitigate risk for those customers who need time to test the update before deploying it.”
Microsoft did not address the details of the leak, and experts are not sure if the Chinese forum got the code directly from Microsoft’s website or acquired it from a third party.
The evidence of Chinese complicity in the hack came from the posted code itself. Within the “proof of concept” code was a string of letters that referenced “MSRC11678,” which is the Microsoft Security Response Center case number that was assigned to the vulnerability when it was first reported.
Even without this smoking gun, Auriemma said he was “100 percent sure” that the leak came directly from Microsoft.
According to Auriemma, a frequent critic of Microsoft, there are several examples in the hacked code that point right back to his original posting. One of the examples was Auriemma changed the code intentionally to make it unique. That “packet” was reproduced exactly on the Chinese site.
The publication of the code on a Chinese language forum heightens the urgency to apply Microsoft’s MS12-020 update, which addresses a remote, pre-authentication, network-accessible code execution vulnerability in Microsoft’s implementation of the RDP protocol. He says this proves that there was a leak.
Following the publication of the Chinese proof of concept, Auriemma published his own advisory with technical details of the vulnerability.
He also had his own thoughts on the hacking. Auriemma said he was, “… very happy about what happened because releasing my details was my target in any case and for sure this story will be not forgotten shortly.”
He also said if the author of the leak was one of Microsoft’s partners, then, “it’s the epic fail of the whole system, what do you expect if you give the [Proof of Concept] to your ‘super trusted’ partners?”
The hack of the Microsoft site is a major embarrassment for Microsoft because the program is considered to be a premier initiative in its efforts to secure their products from cyberattack.
Three years ago, when the program was first launched, Ryan Naraine, a news journalist for the technical website ZDNet, warned that Microsoft was making a both a daring and risky move.
At that time, Naraine wrote, “As everyone knows, vulnerability data is big business and the specter of a rogue employee with access to what amounts to zero-day vulnerabilities is a scary thought. What happens if the information flowing through MAPP is being siphoned off and sold to malicious attackers?”
Steve Elwart, P.E. is the senior research analyst with the Koinonia Institute and a subject matter expert for the Department of Homeland Security. He can be contacted at firstname.lastname@example.org.