Microsoft misses flaw in 2010 patch that was supposed to quash Stuxnet bug

A critical Windows vulnerability that was exploited by the notorious Stuxnet worm as long ago as 2008 was not fully patched until yesterday.

A critical Windows vulnerability that was one of several exploited by the notorious Stuxnet worm as long ago as 2008 was not completely patched until just yesterday, a security researcher said.

Brian Gorenc, manager of vulnerability research at Hewlett-Packard's TippingPoint, blamed lax quality control at Microsoft for the oversight. "You would have expected that this would have been caught, especially with the [vulnerability's] visibility," said Gorenc, who also head TippingPoint's Zero Day Initiative (ZDI) bug bounty program.

The flaw in Windows was purportedly fixed in August 2010, when Microsoft issued an emergency update -- often dubbed "out-of-band" or "out-of-cycle" to denote that it was released outside the usual Patch Tuesday schedule -- but it did not entirely quash the bug, according to TippingPoint, a maker of intrusion detection products.

"The patch failed. And for more than four years, all Windows systems have been vulnerable to exactly the same attack that Stuxnet used for initial deployment," HP wrote in a Tuesday post.

Microsoft quashed the remaining exploit vector yesterday in one of the 14 security updates it released around 10 a.m. PT. In the accompanying advisory, however, Microsoft made no mention of the fact that it was shutting a barn door left open for more than four and a half years.

The original bug was related to Windows "shortcut" files, the placeholders typically dropped on the desktop, into the Start menu, or into folders to represent links to actual files or programs. Windows failed to correctly parse those shortcuts, identified by the ".lnk" extension, and hackers exploited the bug using USB flash drives. By crafting a malicious .lnk file, attackers were able to hijack a Windows PC with little user interaction: All that was necessary was that the user viewed the contents of the USB drive with a file manager like Windows Explorer.

Stuxnet, the worm reportedly crafted by U.S. and Israeli intelligence agencies, used that vulnerability, and at least three others, to infect control systems at Iran's nuclear fuel enrichment facilities. Experts believed that the worm was deployed in an attempt to slow or even cripple Iran's efforts to develop nuclear weapons.

The .lnk vulnerability and its USB-based attack approach, analysts and researchers surmised, was used to bridge the "air gap" between PCs connected to the Internet and those that ran the enrichment control systems. The latter would have been isolated from other computers for security purposes.

ZDI received a report from outside researcher Michael Heerklotz in early January that the earlier patch was flawed. As per its policy, ZDI forwarded information to Microsoft and withheld news of the vulnerability until the Redmond, Wash. company rolled out a fix.

The bug bounty program today also published a technical analysis of the vulnerability that explained why the 2010 patch had not been 100% effective, as well as a video demonstration of the exploit.

Gorenc was critical of Microsoft's omission four years ago. "Considering the number of eyes that have looked at that code and the patch, it's surprising that it actually existed," Gorenc said. "It proves that they're not analyzing the patches as much as we thought."

He also noted that exploits were able to sidestep Windows' defenses, including ASLR (address space layout randomization). "It's definitely interesting to see that researchers [like Heerklotz] are interested in looking for arbitrary code execution where memory corruption defenses in Windows are ineffective," Gorenc said in an interview. "All you have to do is browse to a folder on a malicious site and you'll execute code. It's a very silent way to get into a system."

Microsoft said it had no evidence that Heerklotz's findings had been used in actual attacks. "When this security bulletin was originally issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers," the MS15-020 bulletin said.

While Gorenc had no proof to the contrary, he implied that others -- including cyber criminals -- may also have dug into the 2010 patch, possibly long ago. "Clearly, people have been looking at the code base and looking for ways to bypass the validation check," he said of the original fix's approach. "It's hard to believe that it went undiscovered until now."

All supported versions of Windows, from Windows Server 2003 -- which will be retired in July -- to the latest Windows 8.1, contained the errant patch, and so must be re-patched with yesterday's update.

Gorenc confirmed that MS15-020 plugged the hole Heerklotz found, at least in the versions of Windows that ZDI was able to check. Because Microsoft no longer issues public patches for Windows XP -- it dropped off the support list in April 2014 -- but does provide critical updates to corporate customers who have paid for custom post-retirement support, his team was unable to verify the efficacy of any XP fix.

Windows XP did receive the 2010 update -- designated as MS10-046 -- and is virtually guaranteed to have the flaw discovered by Heerklotz.

The silver lining in this, Gorenc said, is that researchers were taking second, third and maybe even more looks at Microsoft's patches. "But it's a pretty amazing find," he said.

Microsoft did not immediately reply to questions today, including how the flaw had been overlooked earlier.

Join the CSO newsletter!

Error: Please check your email address.

Tags HPMalware & VulnerabilitiesantispamsecurityMicrosoftHewlett-Packard

More about HPMicrosoftTippingPoint

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place