Security Research
Showing results for 
Search instead for 
Do you mean 

CVE-2015-0096 issue patched today involves failed Stuxnet fix

DaveWeinstein ‎03-10-2015 10:04 AM - edited ‎03-10-2015 11:39 AM

In early January of 2015, researcher Michael Heerklotz approached ZDI with details of a critical vulnerability in the Microsoft Windows operating system. The vulnerability demonstrates that a security patch released by Microsoft in August 2010 does not, in fact, fix the CVE-2010-2568 .LNK issue first widely reported in Stuxnet – leaving all Windows machines vulnerable ever since.


In mid-2009, Stuxnet was released against the Iranian nuclear program. Attributed to the United States and Israel, Stuxnet used multiple zero-day attacks against Windows to attack the Iranian centrifuges. It was discovered in June 2010 by VirusBlokAda and reported to Microsoft. In February of 2015, Kaspersky Labs' Global Research & Analysis Team released findings that attacks included in Stuxnet were in use as early as 2008.


A USB drive was the initial infection vector. It took advantage of a vulnerability in the Windows operating system that allowed simply browsing to a directory to allow execution of arbitrary code.


Windows allows .LNK files, which define shortcuts to other files or directories, to use custom icons from .CPL (Control Panel) files. The problem is that in Windows, icons are loaded from modules (either executables or dynamic link-libraries). In fact, .CPL files are actually DLLs. Because an attacker could define which executable module would be loaded, an attacker could use the .LNK file to execute arbitrary code inside of the Windows shell and do anything the current user could.


In August 2010, Microsoft patched that vulnerability with MS10-046. That bulletin was released out of band (that is, outside Microsoft’s normal Patch Tuesday cadence) and was the first of the Stuxnet-related bulletins released.


The patch failed. And for more than four years, all Windows systems have been vulnerable to exactly the same attack that Stuxnet used for initial deployment.


Microsoft today has released MS15-020, which we understand will address the issue. The ZDI recommends that the released patch be deployed immediately. It is also possible to follow the manual instructions given by Microsoft for the original Stuxnet vulnerability to disable the display of icons for LNK files. ZDI has confirmed that this mitigation will work against the unpatched vulnerability. Current HP TippingPoint customers are protected by filter #19340.


In the ZDI's catalog, this vulnerability is ZDI-15-086.


At 2pm PDT today, the ZDI will release the full details of the vulnerability, based on the detailed research provided by Michael Heerklotz.

0 Kudos
About the Author


Nov 29 - Dec 1
Discover 2016 London
Learn how to thrive in a world of digital transformation at our biggest event of the year, Discover 2016 London, November 29 - December 1.
Read more
Each Month in 2016
Software Expert Days - 2016
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all