Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

WSJ: Microsoft Probing Possible PoC Exploit Code Leak

Software giant Microsoft Corp. has launched an investigation to determine whether one of its flagship information-sharing programs sprung a leak that led to the widespread exploitation of Exchange server deployments around the world.

Software giant Microsoft Corp. has launched an investigation to determine whether one of its flagship information-sharing programs sprung a leak that led to the widespread exploitation of Exchange server deployments around the world.

According to a bombshell report in the Wall Street Journal, Redmond is looking closely at its Microsoft Active Protections Program (MAPP) to figure out if an anti-malware partner in China leaked proof-of-concept code ahead of the availability of security updates.

The MAPP program lets Microsoft share vulnerability data to give anti-malware, intrusion prevention/detection and corporate network security vendors a head-start to add signatures and filters to protect against Microsoft software vulnerabilities. 

The program is popular with defenders but it has long been controversial because of there is legitimate risk that data on serious, unpatched vulnerabilities could land in the wrong hands.

[ ALSO SEE: Microsoft Drops Chinese Vendor From MAPP  ]

In 2012, Microsoft dropped a Chinese vendor from the program after violations and there is rampant speculation that something similar happened in late February this year ahead of the Exchange Server patches.

The WSJ says Microsoft’s new investigation centers on the question of how a stealthy attack that began in early January picked up steam in the week before the company was able to send a software fix to customers. 

From the WSJ article:

Some of the tools used in the second wave of the attack, which is believed to have begun Feb. 28, bear similarities to “proof-of-concept” attack code that Microsoft distributed to antivirus companies and other security partners Feb. 23, investigators at security companies say. Microsoft had planned to release its security fixes two weeks later, on March 9, but after the second wave began it pushed out the patches a week early, on March 2, according to researchers.

One focus of the investigation has been an information-sharing program called the Microsoft Active Protections Program, which was created in 2008 to give security companies a head start in detecting emerging threats. Mapp includes about 80 security companies world-wide, about 10 of which are based in China. A subset of the Mapp partners were sent the Feb. 23 Microsoft notification, which included the proof-of-concept code, according to sources familiar with the program. 

The report said Microsoft declined to say whether any Chinese companies were included in this release.

Microsoft’s probe comes amidst news that ransomware gangs are starting to take aim at the Exchange Server vulnerabilities, adding a new sense of urgency to the need for organization to apply patches and disinfect backdoors from networks.

Related: Microsoft Shares Additional Exchange Server Mitigations 

Related: Microsoft to Share Vulnerability Data with Incident Responders

Related: Microsoft Drops Chinese Vendor From MAPP After NDA Violations

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.