Security Research
Showing results for 
Search instead for 
Do you mean 

CVE-2015-0096 issue patched today involves failed Stuxnet fix

DaveWeinstein ‎03-10-2015 10:04 AM - edited ‎03-10-2015 11:39 AM

In early January of 2015, researcher Michael Heerklotz approached ZDI with details of a critical vulnerability in the Microsoft Windows operating system. The vulnerability demonstrates that a security patch released by Microsoft in August 2010 does not, in fact, fix the CVE-2010-2568 .LNK issue first widely reported in Stuxnet – leaving all Windows machines vulnerable ever since.

 

In mid-2009, Stuxnet was released against the Iranian nuclear program. Attributed to the United States and Israel, Stuxnet used multiple zero-day attacks against Windows to attack the Iranian centrifuges. It was discovered in June 2010 by VirusBlokAda and reported to Microsoft. In February of 2015, Kaspersky Labs' Global Research & Analysis Team released findings that attacks included in Stuxnet were in use as early as 2008.

 

A USB drive was the initial infection vector. It took advantage of a vulnerability in the Windows operating system that allowed simply browsing to a directory to allow execution of arbitrary code.

 

Windows allows .LNK files, which define shortcuts to other files or directories, to use custom icons from .CPL (Control Panel) files. The problem is that in Windows, icons are loaded from modules (either executables or dynamic link-libraries). In fact, .CPL files are actually DLLs. Because an attacker could define which executable module would be loaded, an attacker could use the .LNK file to execute arbitrary code inside of the Windows shell and do anything the current user could.

 

In August 2010, Microsoft patched that vulnerability with MS10-046. That bulletin was released out of band (that is, outside Microsoft’s normal Patch Tuesday cadence) and was the first of the Stuxnet-related bulletins released.

 

The patch failed. And for more than four years, all Windows systems have been vulnerable to exactly the same attack that Stuxnet used for initial deployment.

 

Microsoft today has released MS15-020, which we understand will address the issue. The ZDI recommends that the released patch be deployed immediately. It is also possible to follow the manual instructions given by Microsoft for the original Stuxnet vulnerability to disable the display of icons for LNK files. ZDI has confirmed that this mitigation will work against the unpatched vulnerability. Current HP TippingPoint customers are protected by filter #19340.

 

In the ZDI's catalog, this vulnerability is ZDI-15-086.

 

At 2pm PDT today, the ZDI will release the full details of the vulnerability, based on the detailed research provided by Michael Heerklotz.

0 Kudos
About the Author

DaveWeinstein

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Labels
Events
Aug 29 - Sep 1
Boston, MA
HPE Big Data Conference 2016
Attend HPE’s Big Data Conference to learn from peers in every industry and hear from Big Data experts and thought leaders in an exciting, energy fille...
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference and is the place to meet the world’s top information security talent, discuss new products and share information...
Read more
View all