Microsoft has a big, ugly problem on its hands. The company is caught in the middle of what’s rapidly become a major controversy centered on the leak of proof-of-concept exploit code for the MS12-020 RDP vulnerability. Many researchers, including the one who first discovered the bug and reported it to Microsoft through the Zero Day Initiative, believe that the software giant has a leak, either within its own walls in Redmond, or somewhere in its MAPP information-sharing program.
There are a number of possible explanations for the appearance of the exploit code on a Chinese download site. As odd as it may sound, the absolute best-case scenario for Microsoft is that the code was inadvertently leaked by one of the members of the MAPP (Microsoft Active Protections Program) community. If that’s the case, then it simply means that one (or possibly more) of the MAPP partners was careless with the information Microsoft shared with them and the code somehow got into the wrong hands. That’s not good, but it’s not fatal.
The second possibility is that someone working at one of the MAPP companies deliberately posted the code. The MAPP program includes several dozen security and antimalware companies from around the world, and although those companies have signed NDAs and should restrict access to the MAPP info to a small group of people within their organizations, it’s possible that there’s a rogue employee somewhere along the line who could have done this.
Moving up the scale of relative badness, a third scenario would be that someone at ZDI leaked the exploit code, either deliberately or accidentally. ZDI has been buying bugs from researchers and forwarding the data on to affected vendors for several years now, and there hasn’t been any acknowledged incident linked to exploit code from the company or one of its affiliated researchers finding its way into the public domain. Once the company confirms that a bug is exploitable and has signatures ready for its customers, it then sends the data in encrypted form to the affected vendors and is pretty much out of the process from there on out. And, there’s evidence that the code posted on the Chinese site was written well after ZDI sent the vulnerability information to Microsoft.
Aaron Portnoy of ZDI said that he is “100% confident” that the leak did not come from ZDI and that Microsoft has confirmed this, as well.
“It was most definitely not ZDI that leaked anything,” he said. “We PGP encrypt all the details and send it to the vendor and it’s out of our hands at that point. We’ve never had any reason to think that there’s any leaks in our organization.”
A fourth potential scenario is that someone at the Microsoft Security Response Center somehow leaked the code. This is a fairly terrifying possibility. Consider the access that MSRC employees have. They see the incoming bug reports from researchers, work with researchers to confirm the vulnerabilities and help develop proof-of-concept exploits. If someone inside that process purposely handed over information about the RDP bug, it would be a disaster. The RDP vulnerability is a valuable one because of the huge number of affected machines and the fact that it can be exploited over the network, pre-authentication. Giving exploit code for that kind of flaw–or any flaw, for that matter–to outside parties would be about as bad as it gets.
Which leads to the last possibility: the MSRC is compromised. This is the doomsday scenario for Microsoft and its customers. The MSRC is a respository of a tremendous amount of valuable vulnerability data, and if that organization was somehow owned, the repercussions would be mind-boggling. It seems likely that if this was the case, there would have been other indications of the compromise at some point, possibly in the form of other exploits being leaked. And it also stands to reason that if someone had compromised the MSRC, he wouldn’t advertise that fact by posting identifiable exploit code on a public site.
Luigi Auriemma, who discovered the RDP flaw, says that he believes that the leak came from somewhere in the MAPP chain of custody, given that the exploit code in question looks to have been written at the MSRC and that it contains a packet that he is certain is one he wrote explicitly for the purpose of testing the bug.
“The executable PoC was compiled in November 2011 and contains some debugging strings like MSRC11678 which is a clear reference to the Microsoft Security Response Center. In short it seems written by Microsoft for the internal tests and was
leaked probably during its distribution to their ‘partners’ (MAPP) for the creation of antivirus signatures and so on,” he wrote in an analysis of the situation on his site. “The other possible scenario is about a Microsoft employee as direct or indirect source of the leak. The hacker intrusion looks the less probable scenario at the moment. The information retrieved by other people in the moment I’m writing seem to confirm the MAPP hypothesis.”
Microsoft published a blog post late Friday afternoon on the code leak, but haven’t made security officials available to answer specific questions.
“The details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Program (MAPP) partners. Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements,” Yunsun Wee, director in the Trustworthy Computing Group, write.
Note: Kaspersky Lab is a member of the MAPP program, but Threatpost editors do not have access to the MAPP information.