clock menu more-arrow no yes mobile

Filed under:

Malicious code leaks from Microsoft or one of its trusted partners

New, 27 comments

A leak of malicious code from either Microsoft or one of its security partners has been discovered by Luigi Auriemma, an independent security researcher. Auriemma was able to identify the leaked code because he had originally submitted it to Microsoft.

Microsoft offices stock image
Microsoft offices stock image

Code that was submitted to Microsoft last year to demonstrate a serious exploit in Windows has somehow made it into the wild, either through Redmond itself or one of its security partners. The exploit targets a vulnerability in Windows' remote desktop protocol, giving an attacker full control over a system and the ability to easily spread to other machines with remote desktop enabled. Microsoft released a patch for the issue earlier this week, but just a few days later a file called "rdpclient.exe" showed up on a Chinese website. Independent security researcher Luigi Auriemma, who had originally submitted the exploit to Microsoft last August, took a look at the file's contents and found it to be a "poorly written proof-of-concept of the vulnerability [that] uses pre-built packets" — packets that came from his original submission to Microsoft. This led him to claim that the source of the malicious code originated at either Microsoft or one its security partners.

It seems Auriemma was spot on, as Microsoft's Security Response Center acknowledged in a blog post today that the code in rdpclient.exe does indeed match what Auriemma submitted. Prior to the patch, Microsoft had distributed the code to its security partners, but the company did not divulge any details of who was responsible for exposing it, or if it even knew. However, the Zero Day Initiative — one of Microsoft's partners and a firm Auriemma also submitted the exploit to — told Ars Technica that it had confirmed with Microsoft that it wasn't responsible for the leak. This seems to imply that Microsoft has at least some knowledge of where the leak came from.

The exploit affects all versions of Windows from XP onwards, including the latest Windows 8 developer preview. Thankfully, rdpclient.exe seems to only be able to crash a computer, but Microsoft is still encouraging all users to apply the patch as soon as possible. Though the issue may be under control for the time being, the situation has brought to light a bigger problem: the fact that that code found its way into the public. As Auriemma points out on his blog, either someone inside Microsoft is in big trouble, or there's a serious failing within its network of security partners.