Attack code privately submitted to Microsoft to demonstrate the severity of a critical Windows vulnerability is circulating on the 'Net, prompting the researcher who discovered it to say it was leaked by the software maker or one of its trusted partners.

The precompiled executable surfaced on Chinese-language web links such as this one on Thursday, two days after Microsoft released a patch for the hole, which affects all supported versions of the Windows operating system. The company warned users to install the fix as soon as possible because the vulnerability allows attackers to hit high-value targets with self-replicating exploits that remotely install malicious software. Microsoft security personnel have predicted exploit code will be independently developed in the next month.

Luigi Auriemma, the Italian security researcher who discovered the vulnerability and submitted proof-of-concept code to Microsoft and one of its partners in November, wrote in an email that he's "100% sure" the rdpclient.exe binary was taken from the exploit he wrote. In a later blog post, he said evidence his code was copied included an internal tracking number the Microsoft Security Response Center assigned to the vulnerability. He also cited other striking similarities in the packet that triggers the vulnerability.

"So yes, the pre-built packet stored in 'rdpclient.exe' IS mine," he wrote. "No doubts."

He went on to speculate that the code was leaked by someone from Microsoft or one of its trusted partners. He specifically named ZDI, or the Zero Day Initiative, which is a program sponsored by HP-owned Tipping Point, a maker of intrusion prevention systems that pays researchers cash for technical details about critical software vulnerabilities. He also speculated the leak could have come from any one of the 30 or so partners who participate in the Microsoft Active Protections Program. The program gives antivirus and IPS makers technical details of Microsoft vulnerabilities in advance so they can release signatures that prevent them from being exploited.

Update: Aaron Portnoy, ZDI's Manager of Security Research told Ars he's sure the leak didn't come from anyone with his company.

"I've actually gotten confirmation from Microsoft that they're are also confident that the leak wasn't from us," he said in an interview. "I can't comment further on the issue other than [to say] they seem to have some is knowledge as to what happened and they are confident it was not from us."

He said exploit details have never leaked out of his company, and he added he was unaware of leaks involving other Microsoft partners, either.

Update 2: Yunsun Wee, Director of Microsoft's Trustworthy Computing division confirmed that the code appeared to be match vulnerability information shared with MAPP partners.

"Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements," Wee wrote in a blog post. The statement made no reference to Portnoy's comments.

Members of the Metasploit framework, an open-source package that hackers and penetration testers use to exploit known security bugs, have confirmed that rdpclient.exe triggers the vulnerability Microsoft reported Tuesday. It resides in the Remote Desktop Protocol and allows attackers to execute code of their choosing on any machine that has it turned on. HD Moore, CSO of Rapid7 and chief architect of the Metasploit project, told Ars the code caused a machine running Windows Server 2008 R2 to display a blue screen of death, but there were no signs it executed any code.

He said Metasploit personnel have been able to replicate the crash, but are still several weeks away from being able to exploit the bug to execute code.

"It's a still a huge vector for knocking servers offline right now if you can figure out how to DOS the RDP service," he said in an interview.

There are unconfirmed claims that code is already circulating in the wild that does far more than cause machines to crash. This screen shot, for example, purports to show a Windows machine receiving a remote payload after the vulnerability is exploited. Security consultants have said there's no proof such attacks are real.

"On the other hand, if they've had this since November internally, it's not impossible that someone would have had time to actually develop what that screen shot is showing," Alex Ionescu, who is chief architect of security firm CrowdStrike, told Ars.

Updated to include comment from ZDI's Aaron Portnoy and Microsoft's Wee.