Last Tuesday Microsoft issued a critical security update for a Remote Desktop Protocol (RDP) flaw in Windows that allows hackers to execute code on systems under the "system" privilege level. The software giant estimated it would take about 30 days until hackers would discover how to exploit the bug, but Bit Tech writes today that someone has leaked working proof-of-concept code, meaning attackers now have everything they need to exploit the vulnerability.
The code doesn't appear to have been developed independently, either. Security researcher Luigi Auriemma, who spotted the flaw and provided a proof-of-concept to Microsoft via TippingPoint's Zero Day Initiative (ZDI) cash-for-bugs security programme, claims that the public proof-of-concept code contains the exact same packet he crafted in his submission to Microsoft. The implication: somebody at Microsoft or TippingPoint leaked the information to the bad guys.
Microsoft, naturally, denies doing any such thing. Instead, the company claims that the leak may have come from one of its Microsoft Active Protections Programme (MAPP) partners, of which ZDI is a member. 'The details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Programme partners,' the company's director of trustworthy computing Yunsun Wee admits. 'Consistent with the charter of the MAPP program, we released details related to the vulnerabilities addressed in MS12-020 to MAPP partners under a strict Non-Disclosure Agreement in advance of releasing the security bulletin.'
'Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and programme requirements,' Wee adds.