Independent Italian security researcher Luigi Auriemma found an exploit on a Chinese download server the same day.
Data to exploit critical flaw may have leaked early
Auriemma wrote that the "Chinese" exploit contained the same packet he sent to the Zero Day Initiative (ZDI) to alert Microsoft of the flaw in the first place. TippingPoint/DV Labs is a subsidiary of Hewlett-Packard Co. that offers bonuses to independent researchers for submit information about new flaws in commercial software privately to ZDI, which vets the tips and passes them on to the proper vendor.
Tips and alerts submitted to ZDI are supposed to remain confidential specifically to keep news of a major security weakness from circulating among hackers before the vendor has enough time to patch it.
Auriemma appears to be a reliable source for information on security flaws whose history of finding new flaws makes for a long list of both flaws and proof-of-concept exploits, which he posts on his own site.
Neither ZDI nor Microsoft has responded to Auriemma's concern about his alert having leaked.
Having an exploit show up on the same day the flaw is announced, especially containing a packet identical to the one submitted by the researcher who discovered the flaw, would undermine ZDI's reputation as a secure, confidential clearinghouse for undiscovered "zero-day" flaws.
The end result, at least for this particular security hole, is that corporate customers do not have as long as 30 days to test the RDP patch to make sure it doesn't break their remote-access and remote-support applications.
Instead they now face the choice of installing an untested patch immediately to reduce the risk that the Chinese exploit isn't the only one circulating in the wild, or leaving their machines exposed until they're able to complete thorough testing and orderly distribution of patches.
Which just goes to show either that it's never a good idea to assume it will take other people as long as it would take you to take advantage of some huge hole in someone else's security, or that Microsoft security specialists just don't spend enough time hanging around some of the Internet's more disreputable neighborhoods, where new Windows flaws are considered opportunities and taking advantage of them is good business.