Microsoft Suffers Major Security Leak

Microsoft suffered a significant security setback last weekend, with a guideline for fixing a major software vulnerability being leaked to a Chinese hacking website.

The guideline is known as a "proof-of-concept" code, and is essentially an outline of how hackers might exploit a specific security flaw.

In this case, the guideline was related to a recently patched Remote Desktop Protocol (RDP) issue. If exploited, the flaw it covers could allow hackers to infiltrate a remote computer system.

Prior to issuing the patch, Microsoft had rated the RDP flaw "critical," its highest security rating.

Leak Gives Hackers Tools to Penetrate Unpatched Systems

Microsoft operates under a security program known as the Microsoft Active Protection Program (MAPP). MAPP includes the major security firms, including AVG, McAfee, and Kaspersky, plus many others.

MAPP rules state that about 79 different security firms receive a 'heads-up' from Microsoft whenever a new security flaw, such as this one, is discovered within any piece of Microsoft software.

Afterwards, "proof-of-concept" codes like the one now leaked are routinely sent to the security firms about a day before Microsoft's release of major security patches.

This advance notification and early look at the "proof-of-concept" codes give the firms time to design a more efficient security update schedule.

Unfortunately, now that the guideline's details have been leaked, hackers have the opportunity to reverse-engineer the software patch and gain information that could help them break into systems that haven't yet been patched.

Microsoft Admits and Investigates Leak

Microsoft has admitted the guideline has been leaked and says it is currently investigating the situation.

A spokesperson added that the company plans to "take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements." (Source: huffingtonpost.com)

Some industry analysts are asking why Microsoft has allowed so many security companies into its MAPP program. With the number ballooning to nearly 80 in recent years, the chances the program would suffer a leak have markedly increased.

However, other experts note that if Microsoft had played favorites or unduly limited admission to the MAPP program, it would have been criticized for hoarding vital security data. 

It's not yet known who leaked the information. However, a number of security companies participating in the MAPP program have already insisted they were not responsible. (Source: computerworld.com)