Microsoft released its Patch Tuesday update today, providing a fix for a flaw that enabled the notorious Stuxnet attack. Most people in the world thought the vulnerability had been fixed back in 2010.
The Stuxnet worm was an exploit that was used against a nuclear facility in Iran back in 2010, in part by taking advantage of a vulnerability in Windows. The vulnerability that enabled Stuxnet was identified as CVE-2010-2568, which was thought to have been patched by Microsoft in October 2010. More than four years later, Hewlett-Packard’s (HP) Zero Day Initiative (ZDI) has discovered that the CVE-2010-2568 fix was not, in fact, complete and the underlying vulnerability has remained exploitable the whole time.
“HP’s Zero Day Initiative reported this issue to Microsoft on Jan. 8, 2015,” Brian Gorenc, manager of vulnerability research for HP Security Research, told eWEEK.
ZDI has a 120-day disclosure policy, whereby it will publicly disclose issues that have been reported to vendors after 120 days, if a patch has not been released. By releasing a patch now, Microsoft is well within the 120-day deadline, which highlights the severity of the issue, Gorenc explained.
The proof-of-concept code exploits that HP’s ZDI provided to Microsoft on the security flaw were designed to bypass the validation checks put in place by MS10-046, the bulletin released in 2010 to patch CVE-2010-2568, he adi. Rather than update the CVE-2010-2568 vulnerability information, a new identifier has been assigned with CVE 2015-0096 to encompass the expanded impact.
“CVE-2015-0096 is a vulnerability in the Microsoft Windows operating system that allows remote attackers to execute arbitrary code by having the target simply browse to a directory containing a malicious .LNK file,” Gorenc said. “The patch for CVE-2010-2568 did not completely address the issues present in the Windows Shell, and the weaknesses left are now being resolved five years later as CVE-2015-0096.”
The discovery that the original Stuxnet vulnerability is still exploitable was conducted by researcher Michael Heerklotz, who sold the research to ZDI, which pays security researchers for reporting potential vulnerabilities.
ZDI does not disclose publicly the amount it pays for vulnerabilities acquired by its program, Gorenc said. “We can’t speak to how Michael Heerklotz found the flaw, but the quality of his submission was high,” he said. “It was a very enjoyable case to analyze, and we look forward to all submissions from this researcher.”
Though Microsoft is issuing a patch for CVE 2015-0096 today, HP had a fix available to protect its users much earlier.
“ZDI worked with HP TippingPoint analysts to build a Digital Vaccine filter to mitigate the vulnerability,” Gorenc said. “That was released in late January as #19340, and customers who deployed that filter have been protected ever since.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.