Stuxnet attackers used 4 Windows zero-day exploits

Summary:The attackers behind the recent Stuxnet worm attack used four different zero-day security vulnerabilities to burrow into -- and spread around -- Microsoft's Windows operating system.

The attackers behind the recent Stuxnet worm attack used four different zero-day security vulnerabilities to burrow into -- and spread around -- Microsoft's Windows operating system, according to a startling disclosure from the world's largest software maker.

Two of the four vulnerabilities are still unpatched.

As new details emerge to shine a brighter light on the Stuxnet attack, Microsoft said the attackers initially targeted the old MS08-067 vulnerability (used in the Conficker attack), a new LNK (Windows Shortcut) flaw to launch exploit code on vulnerable Windows systems and a zero-day bug in the Print Spooler Service that makes it possible for malicious code to be passed to, and then executed on, a remote machine.

follow Ryan Naraine on twitter

The malware also exploited two different elevation of privilege holes to gain complete control over the affected system.  These two flaws are still unpatched.

Kaspersky Lab (disclosure: my employer) discovered two of the three new zero-days and worked closely with Microsoft during the research and patch-creation process.

As attacks escalate, Microsoft ships emergency Windows patch

As part of today's Patch Tuesday releases, Microsoft shipped MS10-061 with a fix for the Print Spooler Service Impersonation flaw.  This update is rated "critical" for all supported versions of Windows.

The LNK vulnerability was patched with an emergency fix in August 2010.

Patches for the two elevation-of-privilege flaws are still outstanding.

According to Kaspersky Lab's Alexander Gostev, the Stuxnet attack was one of a kind.

"The fact that Stuxnet targets not four previously unidentified vulnerabilities makes the worm a real standout among malware," Gostev said.

"It's the first time we’ve come across a threat that contains so many 'surprises'," Gostev added, noting that the worm also used signed digital certificates stolen from RealTek and JMicron and also exploited security problems in the Simatic WinCC SCADA systems.

"Stuxnet was undoubtedly created by professionals who’ve got a thorough grasp of antivirus technologies and their weaknesses, as well as information about as yet unknown vulnerabilities and the architecture and hardware of WinCC and PSC7," Gostev added.

There have been rumblings that Stuxnet may be linked to nation-state cyber-attacks.

Topics: Windows, Microsoft, Operating Systems, Security, Software

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.