Today Microsoft closed the loop by confirming that Hangzhou DPTech Technologies Co., Ltd Ė a member of the MAPP program Ė leaked the information. This confirmed that the leak was from a Chinese source and was indeed Microsoftís code. Microsoft has responded by removing the partner from the MAPP program.
Incidents like this are very unfortunate, but Microsoft canít be blamed for trusting a foreign partner: thatís part of doing business, and they do put controls in place to try to protect themselves from this kind of situation.
The MAPP Program definitely serves an awesome purpose by allowing AV and IDS/IPS venders protect their customer base. Leaks in exploit code and even leaks on what they are patching are horrible for security. Microsoft gives certain partners this information before hand so if the information falls into the wrong hands itís a major problem.
In this case we donít know how long Chinese exploit developers had before the actual patch was released. In this case it would have been a few days at the least.
I see a lot of leaks on what Microsoft is patching before Patch Tuesdays, which also can tipoff the bad guys, allowing them to switch attack vectors almost a week before anyone has attack signatures. Anytime patch-related information is leaked itís bad for us all in the information security industry. Loose lips sink ships!
Author: Marcus Carey, security researcher at Rapid7.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.