Microsoft on Thursday outed a China-based network security company as the one responsible for the leak of information that led to the development proof-of-concept code for a major Windows vulnerability that was patched in March.
Hangzhou DPTech Technologies Co., which specializes in firewalls and intrusion prevention systems, breached its non-disclosure contract with the Microsoft Active Protections Program (MAPP), Yunsun Wee, director of Microsoft Trustworthy Computing, said in a blog post. As a result of the leak, Microsoft has removed DPTech from the program.
Under MAPP, Microsoft shares vulnerability details with approved software security providers prior to its monthly fixes being released to allow security firms to immediately protect their customers once the patches are delivered. Specifically MAPP provides its partners with a comprehensive explanation of the vulnerability, a blueprint to trigger the flaw, information on how to detect the bug and a proof-of-concept file.
The vulnerability in question, a "wormable" weakness in the Windows Remote Desktop Protocol, was discovered in May 2011 by researcher Luigi Auriemma, who reported his find to TippingPoint's Zero Day Initiative (ZDI) bug bounty service, which then handed over the information in August to Microsoft to develop a fix. In March, Microsoft released a patch, which came with a warning that the software giant expected to see a code-execution exploit released within 30 days.
It took about two days for a proof-of concept (PoC) to appear on a Chinese hacker site. (However, no known remote exploit has been released).
Upon investigation, Auriemma discovered too many similarities between the published PoC and the one that he sent ZDI so the service could test the vulnerability, he said in a March 16 blog post. As further proof, the posted code appeared modeled after the PoC that Microsoft developed in November for internal tests, and which, he concluded, was likely distributed to partners as part of the MAPP.
"[The PoC published on the Chinese site] contains some debugging strings like 'MSRC11678' which is a clear reference to the Microsoft Security Response Center," Auriemma wrote.
Based on the evidence, Auriemma determined that those responsible for creating the publicly available PoC were the beneficiaries of a leak.
As it turned out, he was right. Now, Microsoft plans to tighten the security controls around the MAPP, though it wouldn't elaborate, Wee said.
In a separate blog post from Microsoft written Wednesday, Maarten Van Horenbeeck, the team manager of MAPP, said Microsoft takes careful steps to ensure incidents like this rarely occur.
"We recognize that there is the potential for vulnerability information to be misused," he wrote. "In order to limit this as much as possible, we have strong non-disclosure agreements (NDA) with our partners. Microsoft takes breaches of its NDAs very seriously. In addition, we make sure to only release data shortly in advance of the security update. Today, we send MAPP data to our partners just as far in advance as they need to get that work done."
A Microsoft spokeswoman declined to divulge specifics about the nature of the leak. An email sent to DPTech for comment was not immediately returned.