Microsoft failed to properly patch the Stuxnet USB flaw in 2010… but has now (we hope)

Graham Cluley

USBI’m sure you remember the notorious Stuxnet worm, used in a joint US/Israeli operation to disrupt activities at the Natanz uranium enrichment facility in Iran.

Besides its tailored attacks against SCADA equipment, meddling with Iranian nuclear centrifuges, Stuxnet was also an eye-opener for its use of zero-day vulnerabilities.

Because Stuxnet was capable of installing itself automatically (with no user interaction required) onto a fully-patched Windows computer from a USB memory stick, even if the user has disabled the Windows AutoRun and AutoPlay feature.

In other words, a computer user only had to open Explorer on a USB stick they found lying around in the car park and that would be enough to infect their PC, whereupon it would hide its presence.

In short: that’s one nasty zero-day vulnerability.

The vulnerability (known as CVE-2010-2568) existed in Microsoft Windows’ handling of .LNK shortcut files. When Windows attempted to display the icon of an exploited .LNK file, it would malicious code instead – without any user interaction.

Back in 2010, while I was still working at Sophos, I made a video discussing what we then called the “Shortcut exploit”.

Microsoft released a patch for the vulnerability not much later (thus negating any requirement for the bespoke tool I describe in the video that Sophos had produced to prevent any mischief).

Huzzah! Or so we thought.

Because in yesterday’s Patch Tuesday, Microsoft included what appeared to be a new attempt (MS15-020) to deal with the .LNK shortcut exploit – almost five years after their first attempt.

Microsoft security bulletin

What seems to have stirred Microsoft into having another crack at the vulnerability is the work done by security researcher Michael Heerklotz, who approached Hewlett Packard’s Zero Day Initiative (ZDI) group with details of how Microsoft’s patch back in 2010 had been insufficient.

Heerklotz sold details of the vulnerability to ZDI for an undisclosed sum, which has published details of weaknesses in Microsoft’s patch and speculated that it’s possible attackers could have been exploiting the vulnerability in the intervening 4+ years.

Here’s a short video where ZDI demonstrate how failed MS10-046 patch for the Stuxnet LNK vulnerability could be exploited:

In this new version of the attack (CVE-2015-0096), ZDI’s code is bypassing validation checks that Microsoft put in place to catch the security flaw. Ironically, the initially Registry workaround suggested by Microsoft back in 2010 (before they issued the initial patch) and used by the Sophos tool appear to continue to be effective.

HP’s researchers sum up the situation as an embarrassing failure for Microsoft:

“The patch failed. And for more than four years, all Windows systems have been vulnerable to exactly the same attack that Stuxnet used for initial deployment.”

With more focus than ever before on this weakness in Windows, you would probably be wise to hold off using any USB devices until after you have applied the latest MS15-020 patch.

Fingers crossed that Microsoft has been more thorough now than it was in late 2010, and that this is the last we will be hearing of this particularly serious flaw.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

2 Replies to “Microsoft failed to properly patch the Stuxnet USB flaw in 2010… but has now (we hope)”

  1. Considering the number of breaches in the last 5 years it is facinating this vulnerability was never the culprit…

    More proof a vulnerability does not necessarily equal a breach… Let alone an attack…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES