Microsoft said major flaw could be exploited in 30 days; estimate off by 29.5

Data that might have leaked from ZDI security bug clearinghouse found in exploit for new flaw

Only two days after announcing the existence of a major flaw in the security of the heavily used remote-access feature in Windows and predicting an exploit that takes advantage of it could appear in less than 30 days, researchers identified a malware app on a Chinese download site that uses the flaw to crash or freeze Windows machines.

The exploit surfaced at about the same time Microsoft was announcing the bug itself and has been confirmed to cause blue-screen-of-death crashes on Windows 7 machines and a system freeze (denial of service condition) on Windows XP, according to Kaspersky Lab Security's ThreatPost.

The flaw, which Microsoft announced Tuesday at the same time it released a patch to repair it, allows hackers use the Remote Desktop Protocol (RDP) to access a stranger's machine, load and execute whatever code they want without having to log in or pass through antivirus and security filters first.

Microsoft recommended that customers install the patch as soon as possible due to the high number of corporate workstations that use RDP-enabled applications and the root access to those machines the flaw could provide.

Though the flaw is critical, writing code that can exploit it is a non-trivial challenge Microsoft's announcement of the flaw predicted it would be approximately 30 days before any workable exploits appeared.

Independent Italian security researcher Luigi Auriemma found an exploit on a Chinese download server the same day.

Data to exploit critical flaw may have leaked early

Auriemma wrote that the "Chinese" exploit contained the same packet he sent to the Zero Day Initiative (ZDI) to alert Microsoft of the flaw in the first place. TippingPoint/DV Labs is a subsidiary of Hewlett-Packard Co. that offers bonuses to independent researchers for submit information about new flaws in commercial software privately to ZDI, which vets the tips and passes them on to the proper vendor.

Tips and alerts submitted to ZDI are supposed to remain confidential specifically to keep news of a major security weakness from circulating among hackers before the vendor has enough time to patch it.

Auriemma appears to be a reliable source for information on security flaws whose history of finding new flaws makes for a long list of both flaws and proof-of-concept exploits, which he posts on his own site.

Neither ZDI nor Microsoft has responded to Auriemma's concern about his alert having leaked.

Having an exploit show up on the same day the flaw is announced, especially containing a packet identical to the one submitted by the researcher who discovered the flaw, would undermine ZDI's reputation as a secure, confidential clearinghouse for undiscovered "zero-day" flaws.

The end result, at least for this particular security hole, is that corporate customers do not have as long as 30 days to test the RDP patch to make sure it doesn't break their remote-access and remote-support applications.

Instead they now face the choice of installing an untested patch immediately to reduce the risk that the Chinese exploit isn't the only one circulating in the wild, or leaving their machines exposed until they're able to complete thorough testing and orderly distribution of patches.

Which just goes to show either that it's never a good idea to assume it will take other people as long as it would take you to take advantage of some huge hole in someone else's security, or that Microsoft security specialists just don't spend enough time hanging around some of the Internet's more disreputable neighborhoods, where new Windows flaws are considered opportunities and taking advantage of them is good business.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies