Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Stuxnet Flaw Finally Gets Patched After More Than 4 Years

    By
    Sean Michael Kerner
    -
    March 10, 2015
    Share
    Facebook
    Twitter
    Linkedin
      Microsoft Windows flaw

      Microsoft released its Patch Tuesday update today, providing a fix for a flaw that enabled the notorious Stuxnet attack. Most people in the world thought the vulnerability had been fixed back in 2010.

      The Stuxnet worm was an exploit that was used against a nuclear facility in Iran back in 2010, in part by taking advantage of a vulnerability in Windows. The vulnerability that enabled Stuxnet was identified as CVE-2010-2568, which was thought to have been patched by Microsoft in October 2010. More than four years later, Hewlett-Packard’s (HP) Zero Day Initiative (ZDI) has discovered that the CVE-2010-2568 fix was not, in fact, complete and the underlying vulnerability has remained exploitable the whole time.

      “HP’s Zero Day Initiative reported this issue to Microsoft on Jan. 8, 2015,” Brian Gorenc, manager of vulnerability research for HP Security Research, told eWEEK.

      ZDI has a 120-day disclosure policy, whereby it will publicly disclose issues that have been reported to vendors after 120 days, if a patch has not been released. By releasing a patch now, Microsoft is well within the 120-day deadline, which highlights the severity of the issue, Gorenc explained.

      The proof-of-concept code exploits that HP’s ZDI provided to Microsoft on the security flaw were designed to bypass the validation checks put in place by MS10-046, the bulletin released in 2010 to patch CVE-2010-2568, he adi. Rather than update the CVE-2010-2568 vulnerability information, a new identifier has been assigned with CVE 2015-0096 to encompass the expanded impact.

      “CVE-2015-0096 is a vulnerability in the Microsoft Windows operating system that allows remote attackers to execute arbitrary code by having the target simply browse to a directory containing a malicious .LNK file,” Gorenc said. “The patch for CVE-2010-2568 did not completely address the issues present in the Windows Shell, and the weaknesses left are now being resolved five years later as CVE-2015-0096.”

      The discovery that the original Stuxnet vulnerability is still exploitable was conducted by researcher Michael Heerklotz, who sold the research to ZDI, which pays security researchers for reporting potential vulnerabilities.

      ZDI does not disclose publicly the amount it pays for vulnerabilities acquired by its program, Gorenc said. “We can’t speak to how Michael Heerklotz found the flaw, but the quality of his submission was high,” he said. “It was a very enjoyable case to analyze, and we look forward to all submissions from this researcher.”

      Though Microsoft is issuing a patch for CVE 2015-0096 today, HP had a fix available to protect its users much earlier.

      “ZDI worked with HP TippingPoint analysts to build a Digital Vaccine filter to mitigate the vulnerability,” Gorenc said. “That was released in late January as #19340, and customers who deployed that filter have been protected ever since.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Avatar
      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×