Microsoft has taken robust action after it identified a Chinese network-security vendor as the company that leaked proof-of-concept code for a security hole in all versions of its Windows operating system.
It kicked the company out of a program designed to share vulnerability information with security software vendors.
In a 3 May post on the Microsoft Security Response Center blog, Yunsen Wee, director of Microsoft Trustworthy Computing, said an investigation in the leak, which occurred in March, determined that Hangzhou DPTech Technologies was the company that leaked the proof-of-concept code, which found its way onto a Chinese-language online forum.
The publishing of the proof-of-concept code essentially gave potential hackers access to the information needed to exploit the Windows vulnerability before Microsoft could release a patch for it. At the time, Wee said cyber-criminals could use the code to launch remote code execution attacks that leverage the flaw, which Microsoft had tagged as “critical.”
Microsoft shares this data under a strict non-disclosure agreement (NDA) with all MAPP members, Wee said. Hangzhous DPTech violated this agreement and was removed from the program, she said.
“Additionally, starting with our May release, we strengthened existing controls and took actions to better protect our information,” Wee wrote. “We believe that these enhancements will better protect our information, while furthering customer protection by aiding partners developing active protections.”
She did not detail how Microsoft strengthened the controls or what actions were taken.
In another 3 May post on the MRSC Ecosystem Strategy Team Blog, Microsoft outlined why MAPP was created and how it works. Maarten Van Horenbeeck, senior program manager for Microsoft Security Response Center, wrote that “MAPP gives defenders a head start by sharing vulnerability information with them so that protection signatures are ready at the same time as security updates.”
“Microsoft developed the MAPP program in 2008 in response to an increase in reverse-engineering occurring around our monthly security update releases,” Van Horenbeeck wrote. “We recognized that there were many tools available that enabled security researchers and attackers alike to very quickly identify the root cause of a vulnerability, given the update binaries. We noted that defenders, such as antivirus or intrusion-prevention vendors, were in a race against attackers to reverse-engineer our updates in order to create protection signatures.”
The data that Microsoft shares with MAPP members includes technical write-ups of the vulnerability, a step-by-step processor to follow “to parse an affected file format, or network protocol, that identifies which elements need to have particular values, or exceed specific boundaries, in order to trigger the security vulnerability,” and information on how to detect the vulnerability or exploitation, such as event-log entries or stack traces. In addition, Microsoft shares proof-of-concept files that are not malicious, but contain the “specific condition that will trigger the vulnerability.”
Van Horenbeeck wrote that Microsoft constantly reviews the program to ensure that members are adhering to the MAPP rules.
At the time of the leak in March, Wee wrote that Microsoft had not seen an “active exploitation in the wild,” but urged users to apply the fix for the vulnerability as soon as possible.
Think you know security? Test yourself with our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…