DPTech Technologies, a security vendor in China, has been removed from Microsoft’s Active Protections Program (MAPP) for leaking proof-of-concept (PoC) code shared with them during the creation of the MS12-020 security bulletin. The leak violated the NDA they had signed with Microsoft, resulting in their expulsion from the program.
In March, Microsoft issued a patch in order to correct a flaw within RDP (MS12-020). The patch was ranked as critical by the software giant, and security experts predicted that exploit code for the RDP flaw would arrive sooner rather than later. As it turns out, proof of concept code appeared within hours of the patch’s release, and Microsoft was indirectly responsible for the PoC code’s appearance.
The code leak came from MAPP, a program created in 2008 in response to an increase in reverse-engineering centered on Microsoft’s monthly update releases.
“We noted that defenders, such as antivirus or intrusion prevention vendors, were in a race against attackers to reverse-engineer our updates in order to create protection signatures,” Microsoft explained in a recent blog post on MAPP.
“By providing technical details about a vulnerability directly to defenders, we strengthen their ability to create more effective and accurate signatures in a shorter timeframe. MAPP also helps to provide a first line of defense for customers who need, or want, to do their own testing prior to deploying our updates.”
MAPP provides participants with technical details related to a given vulnerability, as well as step-by-step instructions for trigger the flaw itself – complete with PoC. As it turns out, this is the information that DPTech Technologies leaked to the Web shortly after MS12-020 was published.
When the PoC itself arrived on the Web, the researcher who discovered the vulnerability in the first place (Luigi Auriemma) recognized his own code within the source. Given that he turned his work over to ZDI, and ZDI quickly denied leaking the code, that left Microsoft as the only likely source. This was later confirmed when elements of the PoC contained markers used by MSRC. Thus, the security industry quickly came to the realization that someone within MAPP committed a serious breach of trust.
On Thursday, Microsoft addressed the leak with a follow-up from earlier notifications on the issue.
“During our investigation into the disclosure of confidential data shared with our Microsoft Active Protections Program (MAPP) partners, we determined that a member of the MAPP program, Hangzhou DPTech Technologies Co., Ltd., had breached our non-disclosure agreement (NDA). Microsoft takes breaches of our NDAs very seriously and has removed this partner from the MAPP Program,” commented Yunsun Wee, the Director of Trustworthy Computing for Microsoft. The reason why DPTech Technologies broke their NDA and leaked the PoC, marking the first time since its creation that MAPP has been violated, remains unknown. Microsoft would not comment on discussions that they had with the company.
Attempts to contact the firm were unsuccessful.
In related news, Microsoft said it would release seven security bulletins to fix 23 vulnerabilities this month, with three of them listed as critical. In the aftermath of the MAPP breach, May’s bulletins were released to MAPP participants under stronger controls.