Two months after exploit code the Microsoft RDP MS12-020 vulnerability made its way into the open before the company released a patch, Microsoft has put the blame for the leak on a Chinese security company, Hangzhou DPTech Technologies. Microsoft said Thursday that it has removed the company from its MAPP information-sharing program.
Microsoft officials said that after word of the leak got out in March they began an investigation to find the source. The security researcher who originally found the RDP bug and reported to Microsoft through the Zero Day Initiative, Luigi Auriemma, said at the time that he suspected that the leak had come from somewhere in the MAPP program, either through one of the partner companies or inside Microsoft itself. The proof-of-concept exploit code that appeared on a Chinese site included a packet that Auriemma wrote himself and forwarded to ZDI.
“The packet I gave to ZDI was unique because I modified it by hand. There are no doubts on this thing,” he said in an email interview at the time of the leak. “Microsoft is the source of the leak, probably during the distribution to MAPP partners, but I still have some doubts.”
MAPP is a program through which Microsoft shares advance information on vulnerabilities with other security companies, including antimalware companies and others, so that they can create signatures and protective measures for the bugs before the details become public.
Microsoft officials said on Thursday that it had determined one of the members of its MAPP (Microsoft Active Protections Program) had compromised the information related to the RDP bug.
“During our investigation into the disclosure of confidential data shared with our Microsoft Active Protections Program (MAPP) partners, we determined that a member of the MAPP program, Hangzhou DPTech Technologies Co., Ltd., had breached our non-disclosure agreement (NDA). Microsoft takes breaches of our NDAs very seriously and has removed this partner from the MAPP Program,” Yunsun Wee of Microsoft’s Trustworthy Computing group said.
The company also said that it has changed some of the ways that it handles and protects the information it shares with MAPP companies, though it didn’t specify what changes it was making.
“Additionally, starting with our May release, we strengthened existing controls and took actions to better protect our information. We believe that these enhancements will better protect our information, while furthering customer protection by aiding partners developing active protections,” Wee said.