I’m sure you remember the notorious Stuxnet worm, used in a joint US/Israeli operation to disrupt activities at the Natanz uranium enrichment facility in Iran.
Besides its tailored attacks against SCADA equipment, meddling with Iranian nuclear centrifuges, Stuxnet was also an eye-opener for its use of zero-day vulnerabilities.
Because Stuxnet was capable of installing itself automatically (with no user interaction required) onto a fully-patched Windows computer from a USB memory stick, even if the user has disabled the Windows AutoRun and AutoPlay feature.
In other words, a computer user only had to open Explorer on a USB stick they found lying around in the car park and that would be enough to infect their PC, whereupon it would hide its presence.
In short: that’s one nasty zero-day vulnerability.
The vulnerability (known as CVE-2010-2568) existed in Microsoft Windows’ handling of .LNK shortcut files. When Windows attempted to display the icon of an exploited .LNK file, it would malicious code instead – without any user interaction.
Back in 2010, while I was still working at Sophos, I made a video discussing what we then called the “Shortcut exploit”.
Microsoft released a patch for the vulnerability not much later (thus negating any requirement for the bespoke tool I describe in the video that Sophos had produced to prevent any mischief).
Huzzah! Or so we thought.
Because in yesterday’s Patch Tuesday, Microsoft included what appeared to be a new attempt (MS15-020) to deal with the .LNK shortcut exploit – almost five years after their first attempt.
What seems to have stirred Microsoft into having another crack at the vulnerability is the work done by security researcher Michael Heerklotz, who approached Hewlett Packard’s Zero Day Initiative (ZDI) group with details of how Microsoft’s patch back in 2010 had been insufficient.
Heerklotz sold details of the vulnerability to ZDI for an undisclosed sum, which has published details of weaknesses in Microsoft’s patch and speculated that it’s possible attackers could have been exploiting the vulnerability in the intervening 4+ years.
Here’s a short video where ZDI demonstrate how failed MS10-046 patch for the Stuxnet LNK vulnerability could be exploited:
In this new version of the attack (CVE-2015-0096), ZDI’s code is bypassing validation checks that Microsoft put in place to catch the security flaw. Ironically, the initially Registry workaround suggested by Microsoft back in 2010 (before they issued the initial patch) and used by the Sophos tool appear to continue to be effective.
HP’s researchers sum up the situation as an embarrassing failure for Microsoft:
“The patch failed. And for more than four years, all Windows systems have been vulnerable to exactly the same attack that Stuxnet used for initial deployment.”
With more focus than ever before on this weakness in Windows, you would probably be wise to hold off using any USB devices until after you have applied the latest MS15-020 patch.
Fingers crossed that Microsoft has been more thorough now than it was in late 2010, and that this is the last we will be hearing of this particularly serious flaw.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
2 comments on “Microsoft failed to properly patch the Stuxnet USB flaw in 2010… but has now (we hope)”
Microsoft has so many backdoors they could host galaxy wide orgies.
Considering the number of breaches in the last 5 years it is facinating this vulnerability was never the culprit…
More proof a vulnerability does not necessarily equal a breach… Let alone an attack…