An attack exploiting a recently patched critical Windows flaws appeared on a Chinese site Thursday -- and the source of the code appears to be Microsoft itself.
The discovery comes less than 48 hours after Microsoft released a patch for a critical vulnerability in Microsoft's Remote Desktop Protocol, a Windows service that allows administrators and support personnel to remotely connect to a user's computers. Early Friday morning, Luigi Auriemma, the security researcher who originally reported the vulnerability to the Zero-Day Initiative (ZDI) bug bounty program, identified the exploit code as information he had supplied to the vendor.
"The packet stored in the 'chinese' rdpclient.exe PoC (proof-of-concept) is the EXACT ONE I gave to ZDI!!!" Auriemma wrote in a Twitter post early Friday morning, adding later in the day: "In case isn't clear yet: rdpclient.exe seems written by Microsoft using the original packet poc I sent to ZDI. MS is the source of the leak."
On Tuesday Microsoft issued a patch for the critical RDP vulnerability, which affects every version of Windows, and a stern warning to Windows users to fix the issue as soon as possible. Soon after, researchers started to work on exploits for the vulnerability and a small bounty was even posted on an independent site.
The code found on the Internet includes information that came from Microsoft, not from the Zero-Day Initiative. Microsoft released the simple program in November to allow its customers and partners to identify vulnerable machines.
"Turns out this rdpclient.exe that we found on some random chinese download site has the string 'MSRC11678' in it -- Woops?" Joshua Drake, a researcher at security consultancy Accuvant, wrote to Twitter.
Microsoft provides advanced information about security vulnerabilities to a number of partners, including security companies in its Microsoft Advanced Protections Program (MAPP). Using the advanced information, MAPP partners can create signatures and other mitigations to prevent vulnerabilities being used against their customers.
The source of the leaked code could be a Microsoft employee, who may have leaked the code intentionally or inadvertently, or one of the company's partners. Microsoft also could have suffered a breach, but it's unlikely the exploit code would be the only sign of that.
"At the moment, the more realistic [source] is the MAPP," Auriemma said in an email interview on Friday.
The attack reportedly does not allow full exploitation of a targeted system, but may crash the operating system or otherwise create a denial-of-service condition. Microsoft apparently did not send any fully researched exploit to its partners, but just included the code Auriemma originally provided, the researcher says.
Microsoft was not immediately available for comment.
This story, "Windows exploit leaked -- by Microsoft?" was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.