Saturday 5 August 2017

Microsoft Attempts To Fix Stuxnet For The Third Time Nearly Five Years Later

One of the patches released by Microsoft as part of its June 2017 security updates represents the company’s third attempt at patching an old vulnerability exploited by the notorious Stuxnet worm in 2010. The initial vulnerability, tracked as CVE-2010-2568, allows a remote attacker to execute arbitrary code on a system using specially crafted shortcut files with the LNK or PIF extension.

CVE-2010-2568 was one of the four zero-day vulnerabilities exploited in the 2010 Stuxnet attacks targeting Iran’s nuclear program. It's arguably the first, and most famous example of government-developed malware. Its creation is said to have been a joint operation between Israel and the United States.

Image result for Microsoft Attempts To Fix Stuxnet For The Third Time Nearly Five Years LaterIn 2015, researchers discovered that Microsoft’s initial fix could be bypassed and the tech giant released another patch. The flaw, tracked as CVE-2015-0096, was treated by Microsoft as a completely new issue.

The flaw leveraged by Stuxnet allowed .LNK files, which are what define shortcuts to other files or directories, to use custom icons from .CPL (Control Panel) files.

"The problem is that in Windows, icons are loaded from modules (either executable or dynamic link-libraries). In fact, .CPL files are actually DLLs. Because an attacker could define which executable module would be loaded, by convincing a user to display a specially-crafted shortcut file, an attacker may be able to execute arbitrary code with the privileges of the user. Depending on the operating system and AutoRun/AutoPlay configuration, this can happen automatically by connecting a USB device.

Microsoft has gone to a great deal of effort to make exploitation of memory corruption bugs more difficult. This is a classic example of the Defender’s Dilemma -- the defender must be strong everywhere, while the attacker needs to find only one mistake.

CERT/CC pointed out that Microsoft patched the new vulnerability, tracked as CVE-2017-8464, with its June security updates. Microsoft informed customers at the time that this flaw had been exploited in the wild. Exploits for the security hole are now publicly available, including a Metasploit module made by Securify's Yorick Koster.

The organization pointed out that in addition to applying Microsoft’s patches, users can prevent potential attacks by blocking outgoing connections on TCP and UDP ports 139 and 445. This prevents machines from accessing a remote SMB server, which is typically needed to exploit the vulnerability.

No comments: