Jump to content
Nytro

The big leak: Microsoft's epic security fail

By Nytro, in Stiri securitate

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=1]The big leak: Microsoft's epic security fail[/h]March 19, 2012

[h=2]It appears the source of a recent zero-day exploit was Microsoft's program to prevent zero-day exploits. Why is Cringely not surprised?[/h] By Robert X. Cringely | InfoWorld

Some words just seem to go together: "bread" and "butter"; "trial" and "error"; "Microsoft" and "security breach." The MS12-020 Remote Desktop Protocol vulnerability revealed last week shows once again that when it comes to data security, Microsoft is its own worst enemy and any "secure" system can be compromised.

As Computerworld's Gregg Keizer reports, the proof-of-concept RDP exploit was developed by Italian security wonk Luigi Auriemma last May. He passed it on to HP's bug bounty program, aka the Zero Day Initiative, in August. HP's ZDI passed Auriemma's code to Microsoft, which shared it with its 79 antivirus security partners in its Microsoft Active Protections Program (MAPP). That list includes the biggest names in computer security, as well as some lesser-known European and Asian firms. Somewhere along the line that code escaped from the lab and is now in the wild, infecting unsuspecting citizens and creating an army of flesh-eating zombies.

[ Cringely calls attention to a different sort of attack on your system, mounted by the piracy bullies. | For a humorous take on the tech industry's shenanigans, subscribe to Robert X. Cringely's Notes from the Underground newsletter. | Get the latest insight on the tech news that matters from InfoWorld's Tech Watch blog. ]

(Sorry, I was confusing it with "The Walking Dead." My bad.)

Last week Auriemma found the exploit code he'd created on a Chinese website, along with telltale signs that proved it was the same code he had written and that this code had been passed on to Microsoft before being leaked.

Now we have three key suspects: Mr. Ballmer in the library with the candlestick, Ms. Whitman in the conservatory with the rope, or Premier Wen Jiabao in the lotus garden with the rainbow sword.

Microsoft is pointing the finger at its MAPP partners, and it's probably right, given how easily Symantec was pwned by ********* for its source code last year. I'm not saying Symantec is the leaker (though that's the first place I'd look, simply because of the hack) or that ********* is the leakee. If it were the Anons, you'd think they'd be crowing their heads off about that right about now.

Still, you wouldn't have to be a hacking mastermind to pull this off. A little social engineering to gain access to an email list, a quick search of the inbox for a message containing the log-on and password to the MAPP program -- boom, you're in. Then post the code on a hacker-friendly forum and wait for the walls to come tumbling down.

The effect of the RDP vulnerability, if you're unlucky enough to encounter it: the blue screen of death. In other words, no perceptible difference from Windows' normal operation. And Microsoft has already released a patch. No harm, no foul, right?

Not exactly. Unless this leak is found and patched immediately, the system created to combat zero-day exploits could soon become the leading source for zero-day exploits. The RDP attack can't be the only bad code these guys were playing with, and the next worm-ready malware may not be so benign or so obvious.

Even if this leaks begins and ends with the RDP exploit, this system has been compromised and can no longer be trusted. Without an early-warning system for these kinds of exploits, we all just got a whole lot less secure. As Luigi wrote on his personal site:

f the author of the leak is one of the MAPP partners... it's the epic fail of the whole system, what do you expect if you give the [proof of concept] to your "super trusted" partners?

Epic fail. Another two words that go together -- like "Microsoft" and "insecurity."

Is this leak as serious as it sounds? Did I leave any metaphor unturned? Post your thoughts below or email me: cringe@infoworld.com.

This article, "The big leak: Microsoft's epic security fail," was originally published at InfoWorld.com. Follow the crazy twists and turns of the tech industry with Robert X. Cringely's Notes from the Field blog, and subscribe to Cringely's Notes from the Underground newsletter.

Sursa: The big leak: Microsoft's epic security fail | Cringely - InfoWorld

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...