Microsoft says a Chinese security vendor breached its non-disclosure contract with the Microsoft Active Protections Program (MAPP) and has been removed from it.
Following a leak of information that led to the development proof-of-concept code for a major Windows vulnerability being exposed, it said that firewall and intrusion prevention systems vendor DPTech has been removed from the programme.
Yunsun Wee, director of Microsoft Trustworthy Computing, said: “During our investigation into the disclosure of confidential data shared with our MAPP partners, we determined that a member of MAPP, DPTech Technologies, had breached our non-disclosure agreement. Microsoft takes breaches of our non-disclosure agreements very seriously and has removed this partner.”
Under MAPP, Microsoft shares vulnerability details with approved software security providers prior to its monthly fixes being released to allow security firms to immediately protect their customers once the patches are delivered.
Specifically, MAPP provides its partners with a comprehensive explanation of the vulnerability, a blueprint to trigger the flaw, information on how to detect the bug and a proof-of-concept file.
This specific vulnerability was in the Windows Remote Desktop Protocol that was patched by Microsoft as part of its Patch Tuesday cycle in March, but it warned that it expected a code-execution exploit released within 30 days. It took around two days for a proof of concept to appear on a Chinese hacker site, but no known remote exploit has been released.
The vulnerability was discovered in May 2011 by researcher Luigi Auriemma, who reported his find to TippingPoint's Zero Day Initiative (ZDI) 'bug bounty' service, which then handed over the information in August to Microsoft.
Upon investigation, Auriemma discovered too many similarities between the published proof-of-concept and the one he sent to ZDI. He also said that the posted code appeared to be modelled on the proof of concept that Microsoft developed in November for internal tests, and which, he concluded, was likely distributed to MAPP partners.
Based on the evidence, Auriemma said he determined that those responsible for creating the publicly available proof of concept were the beneficiaries of a leak.