Microsoft has identified a Chinese network-security vendor as the company that leaked proof-of-concept code for a security hole in all versions of its Windows operating system, and has kicked the company out of a program designed to share vulnerability information with security software vendors.
In a May 3 post on the Microsoft Security Response Center blog, Yunsen Wee, director of Microsoft Trustworthy Computing, said an investigation in the leak, which occurred in March, determined that Hangzhou DPTech Technologies was the company that leaked the proof-of-concept code, which found its way onto a Chinese-language online forum.
The publishing of the proof-of-concept code essentially gave potential hackers access to the information needed to exploit the Windows vulnerability before Microsoft could release a patch for it. At the time, Wee said cyber-criminals could use the code to launch remote code execution attacks that leverage the flaw, which Microsoft had tagged as critical.
In her blog post, Wee said Microsoft had shared the confidential information with members of the companys Microsoft Active Protections Program (MAPP), which was created in 2008 to enable the software giant to share vulnerability data with security companies to enable them to prepare their products for when the security updates are released.
Microsoft shares this data under a strict nondisclosure agreement (NDA) with all MAPP members, Wee said. Hangzhous DPTech violated this agreement and was removed from the program, she said.
Additionally, starting with our May release, we strengthened existing controls and took actions to better protect our information, Wee wrote. We believe that these enhancements will better protect our information, while furthering customer protection by aiding partners developing active protections.
She did not detail how Microsoft strengthened the controls or what actions were taken.
In another May 3 post on the MRSC Ecosystem Strategy Team Blog, Microsoft outlined why MAPP was created and how it works. Maarten Van Horenbeeck, senior program manager for Microsoft Security Response Center, wrote that MAPP gives defenders a head start by sharing vulnerability information with them so that protection signatures are ready at the same time as security updates.
Microsoft developed the MAPP program in 2008 in response to an increase in reverse-engineering occurring around our monthly security update releases, Van Horenbeeck wrote. We recognized that there were many tools available that enabled security researchers and attackers alike to very quickly identify the root cause of a vulnerability, given the update binaries. We noted that defenders, such as antivirus or intrusion-prevention vendors, were in a race against attackers to reverse-engineer our updates in order to create protection signatures.
The data that Microsoft shares with MAPP members includes technical write-ups of the vulnerability, a step-by-step processor to follow to parse an affected file format, or network protocol, that identifies which elements need to have particular values, or exceed specific boundaries, in order to trigger the security vulnerability, and information on how to detect the vulnerability or exploitation, such as event-log entries or stack traces. In addition, Microsoft shares proof-of-concept files that are not malicious, but contain the specific condition that will trigger the vulnerability.
Van Horenbeeck wrote that Microsoft constantly reviews the program to ensure that members are adhering to the MAPP rules.
At the time of the leak in March, Wee wrote that Microsoft had not seen an active exploitation in the wild, but urged users to apply the fix for the vulnerability as soon as possible.