Microsoft probes security partners for RDP leak

By Darren Pauli, Dan Kaplan on Mar 19, 2012 8:26 AM
Filed under Security

Trusted partners may have leaked exploit code.

Microsoft has begun probing its own security partner network to find out who, if anyone, leaked exploit code used in the Remote Desktop Protocol (RDP) vulnerability patched this week.

Redmond has sufficient cause for concern: A perfect replica of a custom packet had turned up on a Chinese hacker forum after it was circulated to a series of trusted security companies under the Microsoft Active Protections Program (MAPP) .

Complete coverage of the RDP vulnerability and exploits

"Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements," Microsoft Trustworthy Computing director Yunsun Wee said.

The software giant shares vulnerability details with approved software security providers prior to its monthly fixes being released to allow security firms to immediately protect their customers once the patches are delivered

As reported on Friday, researcher Luigi Auriemma who discovered the flaw suspected foul play when he discovered the replica packet.   

"It's not a coincidence because the packet I provided was a customised one built on one I captured," Auriemma said in an email. "It's mine, 100 per cent."

He suspected the leaked packet was derived from Microsoft's Proof of Concept (PoC) built for internal tests. The executable "seemed" dated 17 November 2011, he said. 

The Chinese PoC contained some debugging strings like 'MSRC11678' that Auriemma said was a "clear reference" to the Microsoft Security Response Centre.

Auriemma said the packet was unique not least because the packet was captured during a quick RDP session and modified by hand, and also because of the:

  • Vulnerability location (maxChannelIds)
  • Hostname was changed to "HOST"
  • Guide was set to zeroes
  • Basic Encoding Rule (BER) numbers were converted from 8 to 32bit for easier debugging and so modifying the fields of the original packet

"In short, it seems written by Microsoft for the internal tests and was leaked probably during its distribution to their partners for the creation of anti-virus signatures and so on," Auriemma wrote on a blog. "The other possible scenario is [that] a Microsoft employee [was] a direct or indirect source of the leak. The hacker intrusion looks the less probable scenario at the moment."

TippingPoint's Zero Day Initiative (ZDI) which first received the bug in May denied leaking the code. ZDI supplied the data to Microsoft in August to develop a fix.

"It's not a problem, I live for full-disclosure," Auriemma said.

 
Follow us on Facebook and Twitter
 

Copyright © SC Magazine, Australia

Microsoft probes security partners for RDP leak
 
 
 
 
 
Top Stories
EMC takes custody of VCE as Cisco marriage falters
What will it mean for future of Vblock?
 
 
Cloud office vendor taps Ingram for Aussie assault
Intermedia 'gets serious' in Australia, hires first local employee.
 
Sign up to receive CRN email bulletins
   FOLLOW US...
Polls
Is Microsoft right to limit the reseller channel for Surface?

Latest Comments
CRN Magazine

Issue: 331 | September 2014

CRN Magazine looks in-depth at the emerging issues and developments for the channel, and provides insight, analysis and strategic information to help resellers better run their businesses.