Microsoft proof of concept exploit ends up in hacker hands

Posted by Shane McGlaun

The world of online security is frenetically paced, with a constant, ongoing battle between software companies and hackers.

Mega corporations like Google and Microsoft often hold contests for friendly hackers - aka white hat or security researchers - to identify exploits for patching. Apparently, some of the flaws are subsequently turned into a working proof of concept by the software companies themselves to help security firms block potential exploits.

Perhaps not unsurprisingly, something went wrong, very wrong on Friday, with Microsoft  confirming that a proof of concept code had fallen into the hands of hackers.

Redmond apparently believes the proof of concept was leaked from one of its Microsoft Active Protection Program or MAPP partners.

"Details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protection Program (MAPP) partners," said Yunsun Wee, a director with Microsoft's Trustworthy Computing group.

"[We are] actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements."

The leak was discovered late last week when an Italian security researcher named Luigi Auriemma found the proof of concept exploit code on a Chinese website.  Auriemma recognized the code as identical to the one he had provided to HP TippingPoint's Zero Day Initiative (ZDI) bug bounty program, which was used to create a working exploit as part of the verification process. The code was subsequently passed along to Microsoft, and later shared with security software vendors.

It should be noted that the above-mentioned proof of concept code does not allow remote code execution on a compromised computer, but does permit the crashing of targeted systems. Either way, the incident is undoubtedly somewhat embarrassing for Microsoft.