Microsoft accused of leaking attack code

A security researcher has accused Microsoft of leaking attack code for a critical vulnerability in the RDP remote desktop protocol.

Italian security researcher Luigi Auriemma first discovered the security flaw and reported it to Microsoft in August 2011, complete with proof-of-concept attack code. Auriemma went on to describe how he was in no doubt that an executable appearing on a Chinese web site contained his "pre-built packet".

He went on to suggest that Microsoft wrote the attack code for internal testing of a security fix and that the code was leaked during distribution to Microsoft partners under the Microsoft Active Protections Program.

Which of course means that Microsoft may not have leaked the code at all and it could have been leaked by one of the partners.

"If the author of the leak is one of the MAPP partners… it’s the epic fail of the whole system," Auriemma said.

"What do you expect if you give the PoC (proof of concept) to your "super trusted" partners?" he asked.

Microsoft later confirmed that the code was leaked by one of the firm’s MAPP partners, adding somewhat obviously that the code was released under a "strict Non-Disclosure Agreement".

In other words, it’s not their fault.