Microsoft confirmed that, as speculated months ago, the RDP PoC exploit was sourced from China. It was apparent that the exploit originated in the West as researchers noticed that certain readable text in the code was obviously written by Western speakers. Microsoft released a statement confirming the leak; however, it was not clear how the exploit came to be leaked.

Today Microsoft closed the loop by confirming that Hangzhou DPTech Technologies Co., Ltd – a member of the MAPP program – leaked the information. This confirmed that the leak was from a Chinese source and was indeed Microsoft’s code. Microsoft has responded by removing the partner from the MAPP program.

Incidents like this are very unfortunate, but Microsoft can’t be blamed for trusting a foreign partner: that’s part of doing business, and they do put controls in place to try to protect themselves from this kind of situation.

The MAPP Program definitely serves an awesome purpose by allowing AV and IDS/IPS venders protect their customer base. Leaks in exploit code and even leaks on what they are patching are horrible for security. Microsoft gives certain partners this information before hand so if the information falls into the wrong hands it’s a major problem.

In this case we don’t know how long Chinese exploit developers had before the actual patch was released. In this case it would have been a few days at the least.

I see a lot of leaks on what Microsoft is patching before Patch Tuesdays, which also can tipoff the bad guys, allowing them to switch attack vectors almost a week before anyone has attack signatures. Anytime patch-related information is leaked it’s bad for us all in the information security industry. Loose lips sink ships!


Author: Marcus Carey, security researcher at Rapid7.