On Tuesday, Microsoft issued a patch to plug a critical hole in Windows’ Remote Desktop Protocol. Fearing the possibility of an exploit being developed in the “next 30 days,” the company “strongly” advised the immediate deployment of this patch in a blog post detailing the said RDP vulnerability (CVE-2012-0002). Well, it seems that Microsoft was right about the vulnerability being highly attractive to hackers.
Chinese hackers are said to have already published proof-of-concept (PoC) exploit code for the RDP hole. But there seems to be something even more troubling here than the exploit code itself. It’s feared that the hackers who published the code on a Chinese language forum might have had access to data from MAPP ( Microsoft Active Protections Program), which provides vulnerability information to security software partners prior to Microsoft's monthly installment of security updates “so partners can build enhanced customer protections.”
Luigi Auriemma, the security researcher who first discovered the vulnerability, has alleged that the Chinese PoC is the “exact one” he provided to TippingPoint ZDI (Zero Day Initiative). He suspects a leak at either ZDI or Microsoft. “The packet I gave to ZDI wasn’t just a simple fuzzed packet. I modified at some points to make it unique,” Auriemma told ZDNet in an interview.
If it’s indeed a MAPP leak than Microsoft has a huge problem on its hands. This is what Microsoft’s site says about MAPP: “You will receive advance vulnerability information for those vulnerabilities to be addressed in Microsoft’s regularly scheduled monthly security update releases. This information package will provide documents that outline our information on the vulnerability. These documents outline the steps used to reproduce the vulnerability as well as the steps used to detect the issue.”
“At times, Microsoft might also provide a proof-of-concept or repro tool that further illuminates the issue and helps with additional protection enhancement. Providing this information enables software security providers to provide timely and enhanced protections for our mutual customers.”
In a less sinister development, Gun.io (pronounced gun-yo), a platform allowing independent and open source developers to hire each other, has announced a cash reward for anyone who comes up with “a working exploit for CVE-2012-0002 (the new RDP hole) as a Metasploit module.” Interestingly, it’s not a fixed reward but sort of a crowd-funded bounty where anyone can add to the overall amount as long as they reside in the States. However, the amount currently on offer is still fairly modest at a shade under $1,500.
In an email interview with Kerbs on Security, Gun.io’s 23-year-old founder Rich Jones revealed that this is the first time in the six-month-old site’s history that there’s a bounty for a software exploit. He also revealed that most of the money for this particular project has been pledged by Metasploit creator HD Moore, who currently functions as the CSO of vulnerability management company Rapid 7.