Microsoft probes security partners for RDP leak

By Darren Pauli, Dan Kaplan on Mar 19, 2012 8:26 AM
Filed under Security

Trusted partners may have leaked exploit code.

Microsoft has begun probing its own security partner network to find out who, if anyone, leaked exploit code used in the Remote Desktop Protocol (RDP) vulnerability patched this week.

Redmond has sufficient cause for concern: A perfect replica of a custom packet had turned up on a Chinese hacker forum after it was circulated to a series of trusted security companies under the Microsoft Active Protections Program (MAPP) .

Complete coverage of the RDP vulnerability and exploits

"Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements," Microsoft Trustworthy Computing director Yunsun Wee said.

The software giant shares vulnerability details with approved software security providers prior to its monthly fixes being released to allow security firms to immediately protect their customers once the patches are delivered

As reported on Friday, researcher Luigi Auriemma who discovered the flaw suspected foul play when he discovered the replica packet.   

"It's not a coincidence because the packet I provided was a customised one built on one I captured," Auriemma said in an email. "It's mine, 100 per cent."

He suspected the leaked packet was derived from Microsoft's Proof of Concept (PoC) built for internal tests. The executable "seemed" dated 17 November 2011, he said. 

The Chinese PoC contained some debugging strings like 'MSRC11678' that Auriemma said was a "clear reference" to the Microsoft Security Response Centre.

Auriemma said the packet was unique not least because the packet was captured during a quick RDP session and modified by hand, and also because of the:

  • Vulnerability location (maxChannelIds)
  • Hostname was changed to "HOST"
  • Guide was set to zeroes
  • Basic Encoding Rule (BER) numbers were converted from 8 to 32bit for easier debugging and so modifying the fields of the original packet

"In short, it seems written by Microsoft for the internal tests and was leaked probably during its distribution to their partners for the creation of anti-virus signatures and so on," Auriemma wrote on a blog. "The other possible scenario is [that] a Microsoft employee [was] a direct or indirect source of the leak. The hacker intrusion looks the less probable scenario at the moment."

TippingPoint's Zero Day Initiative (ZDI) which first received the bug in May denied leaking the code. ZDI supplied the data to Microsoft in August to develop a fix.

"It's not a problem, I live for full-disclosure," Auriemma said.

Follow us on Facebook and Twitter

Copyright © SC Magazine, Australia


Microsoft probes security partners for RDP leak
Top Stories
Channel's best mingle at 2015 CRN Fast50 networking drinks
[Photos] Who was at the Four Seasons, Sydney on 26 November?
Revealed: The 2015 CRN Fast50!
Meet the fastest-growing IT service providers in Australia.
Sign up to receive CRN email bulletins
Was your most important vendor the same in 2015 as in 2014?

Latest Comments
CRN Magazine

Issue: 343 | October 2015

CRN Magazine looks in-depth at the emerging issues and developments for the channel, and provides insight, analysis and strategic information to help resellers better run their businesses.