Microsoft Reportedly Cuts China's Early Access to Bug Disclosures, PoC Exploit Code

An anonymous reader quotes a report from The Register: Microsoft has reportedly stopped giving Chinese companies proof-of-concept exploit code for soon-to-be-disclosed vulnerabilities following last month's SharePoint zero-day attacks, which appear to be related to a leak in Redmond's early-bug-notification program. The software behemoth gives some software vendors early bug disclosures under its Microsoft Active Protections Program (MAPP), which typically delivers info two weeks before Patch Tuesday. MAPP participants sign a non-disclosure agreement, and in exchange get vulnerability details so that they can provide updated protections to customers more quickly.

According to Microsoft spokesperson David Cuddy, who spoke with Bloomberg about changes to the program, MAPP has begun limiting access to companies in 'countries where they're required to report vulnerabilities to their governments,' including China. Companies in these countries will no longer receive 'proof of concept' exploit code, but instead will see 'a more general written description' that Microsoft sends at the same time as patches, Cuddy told the news outlet. 'A leak happened here somewhere,' Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative (ZDI), told The Register in July. 'And now you've got a zero-day exploit in the wild, and worse than that, you've got a zero-day exploit in the wild that bypasses the patch, which came out the next day.'

Childs said the MAPP change 'is a positive change, if a bit late. Anything Microsoft can do to help prevent leaks while still offering MAPP guidance is welcome.'

'In the past, MAPP leaks were associated with companies out of China, so restricting information from flowing to these companies should help,' Childs said. 'The MAPP program remains a valuable resource for network defenders. Hopefully, Microsoft can squelch the leaks while sending out the needed information to companies that have proven their ability (and desire) to protect end users.'

Read more of this story at Slashdot.