Microsoft Reportedly Cuts China's Early Access to Bug Disclosures, PoC Exploit Code (theregister.com) 15
An anonymous reader quotes a report from The Register: Microsoft has reportedly stopped giving Chinese companies proof-of-concept exploit code for soon-to-be-disclosed vulnerabilities following last month's SharePoint zero-day attacks, which appear to be related to a leak in Redmond's early-bug-notification program. The software behemoth gives some software vendors early bug disclosures under its Microsoft Active Protections Program (MAPP), which typically delivers info two weeks before Patch Tuesday. MAPP participants sign a non-disclosure agreement, and in exchange get vulnerability details so that they can provide updated protections to customers more quickly.
According to Microsoft spokesperson David Cuddy, who spoke with Bloomberg about changes to the program, MAPP has begun limiting access to companies in "countries where they're required to report vulnerabilities to their governments," including China. Companies in these countries will no longer receive "proof of concept" exploit code, but instead will see "a more general written description" that Microsoft sends at the same time as patches, Cuddy told the news outlet. "A leak happened here somewhere," Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative (ZDI), told The Register in July. "And now you've got a zero-day exploit in the wild, and worse than that, you've got a zero-day exploit in the wild that bypasses the patch, which came out the next day."
Childs said the MAPP change "is a positive change, if a bit late. Anything Microsoft can do to help prevent leaks while still offering MAPP guidance is welcome."
"In the past, MAPP leaks were associated with companies out of China, so restricting information from flowing to these companies should help," Childs said. "The MAPP program remains a valuable resource for network defenders. Hopefully, Microsoft can squelch the leaks while sending out the needed information to companies that have proven their ability (and desire) to protect end users."
According to Microsoft spokesperson David Cuddy, who spoke with Bloomberg about changes to the program, MAPP has begun limiting access to companies in "countries where they're required to report vulnerabilities to their governments," including China. Companies in these countries will no longer receive "proof of concept" exploit code, but instead will see "a more general written description" that Microsoft sends at the same time as patches, Cuddy told the news outlet. "A leak happened here somewhere," Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative (ZDI), told The Register in July. "And now you've got a zero-day exploit in the wild, and worse than that, you've got a zero-day exploit in the wild that bypasses the patch, which came out the next day."
Childs said the MAPP change "is a positive change, if a bit late. Anything Microsoft can do to help prevent leaks while still offering MAPP guidance is welcome."
"In the past, MAPP leaks were associated with companies out of China, so restricting information from flowing to these companies should help," Childs said. "The MAPP program remains a valuable resource for network defenders. Hopefully, Microsoft can squelch the leaks while sending out the needed information to companies that have proven their ability (and desire) to protect end users."
In other news... (Score:3)
...Microsoft was previously providing vulnerability information and proof-of-concept exploits for those vulnerabilities in systems and software used by American and allied defense contractors' corporate networks and to utility OT networks to a foreign government before patches were widely deployed among those American and allied countries' networks.
Re:In other news... (Score:4, Insightful)
one dickhead ruins it for everyone (Score:1)
yo china: this is why we can't have nice things
go to your fucking room and think about what you've done
Re: (Score:2)
yo china: go to your fucking room and think about what you've done
this exploit affected "tens of thousands" of sharepoint installations, and they guess some of it was chinese because "ttp's aligned" with other attacks (which aligned with ... what?). that's a pretty weak assessment. however ...
"Sixty days to fix really isn't a bad timeline for a bug that stays private and stays under coordinated disclosure rules,"
yes it is. "coordinated disclosure rules" isn't by any means a sensible argument. it's pretty obvious that pointing the finger in any vague direction is a big temptation at this point, and ofc bad china bad is the perfect target. hey, "ttps align!".
now, it's ofc possible that chinese
Re: (Score:2)
this exploit affected "tens of thousands" of sharepoint installations, and they guess some of it was chinese because "ttp's aligned" with other attacks (which aligned with ... what?). that's a pretty weak assessment. however ...
It's all they will share with the general public. After Chinese companies broke their trust, and that's the core accusation here, they are not exactly eager to reveal how they caught them. We, the public, can't really know what happens, we will not be presented with hard facts or evidence, but this doesn't mean it doesn't exist. It's up to anyone here to trust either the US accusations or the inevitable Chinese denials.
either way you can easily see that this reaction isn't designed at all to fix a problem, but to cover up incompetence. that's why we can't have nice things.
Here I agree with you. 60 days to fix such a glaring bug is ridiculous and the main reaso
Re: (Score:2)
Many companies pathetically trust their corporate crown jewels on these awful Sharepoint servers, so "snoop around some random sharepoint servers" is a wild understatement.
could be. i don't know what they supposedly gained from it, but to blow such a connection it would have to be very good ... (if it was a state actor which is possible but no, i simply wouldn't trust these reports at all. not in principle and much less in this instance: i agree that these details aren't meant to be shared, but then what's the point of this whole press release in the first place?). also, i'm not an expert at all but i can't imagine that any (serious) state actor would operate in such a reckle
Re: (Score:2)
There was a comparison between hacking strategies some months ago. Russians break and enter a few high value targets, grab the crown jewels and disappear. Chinese typically perform complete raids of everything and simply don't care about the resulting diplomatic rift. That's probably the reason, why this Microsoft Sharepoint hack was quickly attributed to China, and why the assumption exists, that they took everything they got a hold of. Compare the Solarwinds campaign with the Microsoft Outlook campaign to
Re: (Score:2)
Compare the Solarwinds campaign with the Microsoft Outlook campaign to see the difference.
solarwinds: highly sophisticated, carefully disguised longterm attack on very specific targets. it does indeed have the hallmarks of a state actor or a very sophisticated and strategic criminal group operation.
ms outlook: high number of broad spectrum attacks, including some sensible targets, through opportunistic exploitation of zero-day vulnerabilities. this does not look like the work of a determined state actor with a minimal degree of sophistication.
Yes, the latter one was indeed reckless, and the Microsoft Sharepoint campaign fits that pattern well.
this campaign looks similar to ms outlook indeed, exc
"out of china"? (Score:2)
If the companies are out of China, then why are they blaming China? They should blame whatever country the companies are actually in.
Re: (Score:2)