Microsoft finds information leak and closes critical Windows holes
On its May Patch Tuesday, Microsoft plans to release a total of seven bulletins to close 23 holes. The company has also announced that those responsible for releasing the Microsoft demo exploit have been found and excluded from the partner programme.
Two of the bulletins close critical vulnerabilities in all supported Windows versions (from XP SP3, including Windows Server). According to the announcement, Microsoft will also close security holes in Office, Silverlight and the .NET framework. The holes potentially allow attackers to inject malicious code into a system remotely – for example when a specially crafted web page is accessed. The software company also plans to close privilege escalation vulnerabilities in all versions of Windows from Vista onwards.
As before, participants of the Microsoft Active Protections Program (MAPP) will receive classified vulnerability information and test tools (exploits) in advance. However, Microsoft said that, this time, it wants to be more careful with the data that is released. "We strengthened existing controls and took actions to better protect our information", Microsoft's security team promised on its blog.
It seems that there was much need for this: in March, a demo exploit developed for MAPP by Microsoft was released on the net a few days after the Patch Day. The exploit allowed remote attackers to crash Windows computers that had the RDP server (Remote Desktop Connection) enabled.
The source of the leak has now been identified: according to Microsoft, network security company DPTech, which is based in Hángzhōu, China, was responsible for it. Microsoft didn't say whether the company released the information intentionally. DPTech has been excluded from MAPP.