The Freeland File
Global Market Data
Tales from the Trail
Lucy P. Marcus
David Cay Johnston
The Great Debate
Jack & Suzy Welch
Macro & Markets
Lipper Awards 2012
Personal Finance Video
Lawmakers, film star Clooney arrested at anti-Sudan protest
16 Mar 2012
"Man vs. Wild" star Bear Grylls fired by TV network
14 Mar 2012
Meghan McCain talks sex and politics in Playboy
16 Mar 2012
Kony film director hospitalized after "unfortunate incident"
Kony video director hospitalized in U.S. after "incident"
16 Mar 2012
U.S. serviceman detained in Afghanistan over civilian casualties
Exclusive: U.S., Britain to agree emergency oil stocks release
Sixteen Afghan civilians killed in rogue U.S. attack
North Korea flaunts military might
Fri, Mar 16 2012
Viral video director hospitalised
Fri, Mar 16 2012
Why Apple customers turn a blind eye
Fri, Mar 16 2012
Microsoft says hacking code could have leaked
Wanted computer hacker helps bring charges
Tue, Mar 6 2012
Analysis & Opinion
Corporate governance: boardrooms fret over corporate espionage and federal guidance regimes
The InternetFeds: Inside hacker Sabu’s war room
By Joseph Menn
SAN FRANCISCO |
Fri Mar 16, 2012 7:05pm EDT
SAN FRANCISCO (Reuters) - Microsoft's process for sharing information about security vulnerabilities in its products came under fire Friday after a roadmap for exploiting a severe, recently discovered flaw appeared on a hacking website in China.
The guideline, known as "proof-of-concept" code, most likely leaked from one the more than 70 security companies that get advance warnings from the company about major new holes, according to the researcher who found the flaw.
Microsoft said it was investigating the disclosure and "will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements."
"The details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Program partners," said Yunsun Wee, Microsoft's director of its Trustworthy Computing effort.
Announced in 2008, Microsoft's program alerts security companies to upcoming patches, typically a day before the patches themselves are released. The idea is to give them time to prioritize and test the fixes before installing them to protect their customers.
The timing is essential, because once the patches come out, hackers can reverse-engineer them to figure out what problems they solve, then produce tools to break into unpatched systems. The window from patch release to working hacking code has shrunk from months or weeks to days and in some cases hours.
Participants in the advance-warning program include most of the largest and many smaller security vendors, including some in China. All promise to keep the information secret.
Some security professionals questioned why Microsoft allowed so many into its program, though others said it also would be faulted for hoarding information.
The patches for the new hole were distributed on Tuesday, as part of Microsoft's regular monthly cycle for security fixes. The hole is a very serious one, because full exploitation would allow an attacker to control machines running Windows XP and later Windows versions that have Remote Desktop Protocol enabled, as long as the network doesn't demand authentication.
The protocol is off by default but turned on by many corporate technologists, who use it to install new programs or fix problems on employee machines.
The flaw could be used to spread a worm, meaning that it could hop from computer to computer without users making mistakes such as clicking on a tainted email attachment.
Microsoft previously warned companies to install the patches as soon as possible, saying that they expected hacking code to circulate within a month.
The researcher who discovered the flaw in May last year, Italian Luigi Auriemma, first submitted his findings and the proof-of-concept to a security group led by Hewlett-Packard's TippingPoint. That group tested and vetted the research and passed it on to Microsoft in August so that the company could develop a patch.
Auriemma had been checking to see who would reverse-engineer the patch first, and was startled to find that the first code to circulate was his own.
"If the author of the leak is one of the MAPP partners, it's the epic fail of the whole system," Auriemma wrote on his personal blog.
Fortunately, the exploit code Auriemma drafted would only shut a PC down, not hand over control to the attacker. Full exploit code has not been seen yet, but security experts said it would likely come more quickly now that the starting point is in the wild.
"Windows users should consider themselves on high alert and harden their defenses by patching their PCs as soon as possible, before we see this worm turn even more malicious," Sophos security consultant Graham Cluley wrote on his company's blog.
(Reporting By Joseph Menn; Editing by Gary Hill)
Related Quotes and News
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Be the first to comment on reuters.com.
Add yours using the box above.
Back to top
New York Legal
Support & Contact
Advertise With Us
Connect with Reuters
Our Flagship financial information platform incorporating Reuters Insider
An ultra-low latency infrastructure for electronic trading and data distribution
A connected approach to governance, risk and compliance
Our next generation legal research platform
Our global tax workstation
About Thomson Reuters
Thomson Reuters is the world's largest international multimedia news agency, providing investing news, world news, business news, technology news, headline news, small business news, news alerts, personal finance, stock market, and mutual funds information available on Reuters.com, video, mobile, and interactive television platforms. Thomson Reuters journalists are subject to an Editorial Handbook which requires fair presentation and disclosure of relevant interests.
NYSE and AMEX quotes delayed by at least 20 minutes. Nasdaq delayed by at least 15 minutes. For a complete list of exchanges and delays, please click here.