Connect with us

Hi, what are you looking for?


Management & Strategy

Microsoft Drops Chinese Vendor From MAPP After NDA Violations

DPTech Technologies, a security vendor in China, has been removed from Microsoft’s Active Protections Program (MAPP) for leaking proof-of-concept (PoC) code shared with them during the creation of the MS12-020 security bulletin.

DPTech Technologies, a security vendor in China, has been removed from Microsoft’s Active Protections Program (MAPP) for leaking proof-of-concept (PoC) code shared with them during the creation of the MS12-020 security bulletin. The leak violated the NDA they had signed with Microsoft, resulting in their expulsion from the program.

In March, Microsoft issued a patch in order to correct a flaw within RDP (MS12-020). The patch was ranked as critical by the software giant, and security experts predicted that exploit code for the RDP flaw would arrive sooner rather than later. As it turns out, proof of concept code appeared within hours of the patch’s release, and Microsoft was indirectly responsible for the PoC code’s appearance.

The code leak came from MAPP, a program created in 2008 in response to an increase in reverse-engineering centered on Microsoft’s monthly update releases.

“We noted that defenders, such as antivirus or intrusion prevention vendors, were in a race against attackers to reverse-engineer our updates in order to create protection signatures,” Microsoft explained in a recent blog post on MAPP.

“By providing technical details about a vulnerability directly to defenders, we strengthen their ability to create more effective and accurate signatures in a shorter timeframe. MAPP also helps to provide a first line of defense for customers who need, or want, to do their own testing prior to deploying our updates.”

MAPP provides participants with technical details related to a given vulnerability, as well as step-by-step instructions for trigger the flaw itself – complete with PoC. As it turns out, this is the information that DPTech Technologies leaked to the Web shortly after MS12-020 was published.

When the PoC itself arrived on the Web, the researcher who discovered the vulnerability in the first place (Luigi Auriemma) recognized his own code within the source. Given that he turned his work over to ZDI, and ZDI quickly denied leaking the code, that left Microsoft as the only likely source. This was later confirmed when elements of the PoC contained markers used by MSRC. Thus, the security industry quickly came to the realization that someone within MAPP committed a serious breach of trust.

Advertisement. Scroll to continue reading.

On Thursday, Microsoft addressed the leak with a follow-up from earlier notifications on the issue.

“During our investigation into the disclosure of confidential data shared with our Microsoft Active Protections Program (MAPP) partners, we determined that a member of the MAPP program, Hangzhou DPTech Technologies Co., Ltd., had breached our non-disclosure agreement (NDA). Microsoft takes breaches of our NDAs very seriously and has removed this partner from the MAPP Program,” commented Yunsun Wee, the Director of Trustworthy Computing for Microsoft. The reason why DPTech Technologies broke their NDA and leaked the PoC, marking the first time since its creation that MAPP has been violated, remains unknown. Microsoft would not comment on discussions that they had with the company.

Attempts to contact the firm were unsuccessful.

In related news, Microsoft said it would release seven security bulletins to fix 23 vulnerabilities this month, with three of them listed as critical. In the aftermath of the MAPP breach, May’s bulletins were released to MAPP participants under stronger controls.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.