Microsoft patches flaw exploited by Stuxnet – again
Among the vulnerabilities patched by Microsoft in this month’s Patch Tuesday is one that was supposedly patched back in 2010.
The Windows Shell Shortcut Icon Loading Vulnerability (CVE-2010-2568) was one of the four flaws used by the attackers who released the Stuxnet malware against the Iranian nuclear program.
“In early January of 2015, researcher Michael Heerklotz approached ZDI with details of a critical vulnerability in the Microsoft Windows operating system. The vulnerability demonstrates that a security patch released by Microsoft in August 2010 does not, in fact, fix the CVE-2010-2568 .LNK issue first widely reported in Stuxnet – leaving all Windows machines vulnerable ever since,” shared HP’s Dave Weinstein.
Apart from the Stuxnet attackers, the .LNK flaw has also been exploited by the Equation Group hackers, probably after finding a way to bypass the initial patch. HP researchers are going to publish a more detailed report about the flaw this afternoon.
Microsoft has commented these new revelations by saying that the DLL Planting Remote Code Execution vulnerability (CVE-2015-0096) addressed on Tuesday is a new vulnerability that required a new security update.
“Microsoft released a comprehensive security fix in 2010 to address the vulnerability the Stuxnet virus exploited. As technology is always changing, so are the tactics and techniques of cybercriminals,” they commented. According to the comment received by The Register, this latest exploit method isn’t the same as the one that was addressed in the earlier patch.
“The ZDI recommends that the [latest] released patch be deployed immediately. It is also possible to follow the manual instructions given by Microsoft for the original Stuxnet vulnerability to disable the display of icons for LNK files. ZDI has confirmed that this mitigation will work against the unpatched vulnerability,” the researchers added.
UPDATE: Here‘s HP’s detailed report on CVE-2015-0096 and the failed MS10-046 Stuxnet fix.