Microsoft blames and bans Chinese security partner for leaking Windows exploit

After an investigation into a proof-of-concept code leak, Microsoft named, blamed and banned a Chinese security firm and MAPP partner. Hangzhou DPTech has been kicked out of the MAPP program for breaching Microsoft's NDA.

Microsoft issued critical patch MS12-020 to fix the Windows' Remote Desktop Protocol (RDP) vulnerability last month as it was spotted on a Chinese hacker forum and was being exploited in the wild. The kicker is that the exploit code was leaked from one of Microsoft's security partners in the Microsoft Active Protection Program (MAPP). Now Microsoft named, blamed and banned the culprit, Chinese security firm Hangzhou DPTech Technologies Co., Ltd for leaking the proof-of-concept code.

According to the Director of Microsoft's Trustworthy Computing, Yunsun Wee, "During our investigation into the disclosure of confidential data shared with our Microsoft Active Protections Program (MAPP) partners, we determined that a member of the MAPP program, Hangzhou DPTech Technologies Co., Ltd., had breached our non-disclosure agreement (NDA). Microsoft takes breaches of our NDAs very seriously and has removed this partner from the MAPP Program."

RELATED: Microsoft announces 7 bulletins for May 2012 Patch Tuesday, closes book on MAPP data leak

Wee's post pointed to "Inside the MAPP program" where the MAPP team defended the program. MAPP was developed in 2008 due to an increase in attackers reverse-engineering Microsoft's monthly security updates. MAPP Senior Program Manager Maarten Van Horenbeeck wrote:

Before the MAPP program, defenders were at a disadvantage because detecting exploits is difficult, especially if a security vendor does not have full information on the types of conditions that may trigger successful exploitation. A vendor could write a signature for every attack file they receive, but they would need to respond to every file individually, or spend significant amounts of time reverse- engineering our security updates themselves. By providing technical details about a vulnerability directly to defenders, we strengthen their ability to create more effective and accurate signatures in a shorter timeframe.

MAPP also helps to provide a first line of defense for customers who need, or want, to do their own testing prior to deploying our updates.

"We recognize that there is the potential for vulnerability information to be misused." added Van Horenbeeck on MSRC Ecosystem Strategy Team blog. "When partners do not successfully protect our intellectual property, we take action, which may include removing the partner from our program."

Computerworld reported that Microsoft would not comment when asked if the Mighty M has kicked out other MAPP security partners, but "MAPP counts 73 companies as members, including several other vendors based in China. Six weeks ago, MAPP's rolls listed 78 firms."

Starting this month, May 2012, Microsoft announced that it had "strengthened existing controls" for MAPP and "took actions to better protect our information."

This leads us to Patch Tuesday when Microsoft will release three critical patches to fix remote code execution flaws in Office (including Office for Mac OS X), Windows, .NET Framework and Silverlight. Four other patches are rated important to fix remote code execution flaws in Office and elevation of privilege vulnerabilities in Windows. The Advanced Notification for May has seven bulletins to fix 23 total vulnerabilities. Additionally, Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool.

Sorry to be the bearer of bad news, but CSO reported "the disruptive restarts and the wide range of platforms impacted by this month's bulletins will have IT teams scrambling to accomplish their flaw remediation tasks." Paul Henry, security and forensic analyst for Lumension, added, "With the workload from Oracle and now the bulletins expected from Microsoft many will unfortunately not get a break for the Memorial Day weekend."

If it makes you feel any better, MAPP's Van Horenbeeck says that Microsoft "quite often" has people working on the weekend and at night to test updates. The video below was created in February before the mess with Hangzhou DPTech Technologies. At that time, Van Horenbeeck said customers might have advisories but there were no stories of exploitation because MAPP partners were working together to make sure that didn't happen.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2012 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.