madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Stuxnet attackers used 4 Windows zero-day exploits

By | September 14, 2010, 11:18am PDT

Summary: The attackers behind the recent Stuxnet worm attack used four different zero-day security vulnerabilities to burrow into — and spread around — Microsoft’s Windows operating system.

The attackers behind the recent Stuxnet worm attack used four different zero-day security vulnerabilities to burrow into — and spread around — Microsoft’s Windows operating system, according to a startling disclosure from the world’s largest software maker.

Two of the four vulnerabilities are still unpatched.

As new details emerge to shine a brighter light on the Stuxnet attack, Microsoft said the attackers initially targeted the old MS08-067 vulnerability (used in the Conficker attack), a new LNK (Windows Shortcut) flaw to launch exploit code on vulnerable Windows systems and a zero-day bug in the Print Spooler Service that makes it possible for malicious code to be passed to, and then executed on, a remote machine.follow Ryan Naraine on twitter

The malware also exploited two different elevation of privilege holes to gain complete control over the affected system.  These two flaws are still unpatched.

Kaspersky Lab (disclosure: my employer) discovered two of the three new zero-days and worked closely with Microsoft during the research and patch-creation process.

As attacks escalate, Microsoft ships emergency Windows patch

As part of today’s Patch Tuesday releases, Microsoft shipped MS10-061 with a fix for the Print Spooler Service Impersonation flaw.  This update is rated “critical” for all supported versions of Windows.

The LNK vulnerability was patched with an emergency fix in August 2010.

Patches for the two elevation-of-privilege flaws are still outstanding.

According to Kaspersky Lab’s Alexander Gostev, the Stuxnet attack was one of a kind.

“The fact that Stuxnet targets not four previously unidentified vulnerabilities makes the worm a real standout among malware,” Gostev said.

“It’s the first time we’ve come across a threat that contains so many ’surprises’,” Gostev added, noting that the worm also used signed digital certificates stolen from RealTek and JMicron and also exploited security problems in the Simatic WinCC SCADA systems.

“Stuxnet was undoubtedly created by professionals who’ve got a thorough grasp of antivirus technologies and their weaknesses, as well as information about as yet unknown vulnerabilities and the architecture and hardware of WinCC and PSC7,” Gostev added.

There have been rumblings that Stuxnet may be linked to nation-state cyber-attacks.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Attacker, Flaw, Vulnerability, Microsoft Corp., Zero-day Bug, Attack, Microsoft Windows, Security, Viruses And Worms, Operating Systems, Software, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Talkback Most Recent of 39 Talkback(s)

  • RE: Stuxnet attackers used 4 Windows zero-day exploits
    Which versions of Windows (XP, Vista, Win7, server versions) and which platforms (32bit, 64bit) are vulnerable if completely unpatched?

    Also, if you have the two already provided patches installed, are you still vulnerable to this issue or are you relatively safe from this particular implementation of the attack?
    ZDNet Gravatar
    PollyProteus
    14th Sep 2010
  • You mean they attacked with made-up terms?
    More ZDNet crap: "zero day". WTF is that supposed to mean? They've been troweling this out for YEARS with no explanation.

    Yeah, to make up for ignorance, the best thing to do is create fake terms and then use them over and over and over despite being called on it.

    Piss off, ZD.
    ZDNet Gravatar
    dgurney
    16th Sep 2010
  • RE: Stuxnet attackers used 4 Windows zero-day exploits
    @dgurney They didn't make that term up; it's been around for a long while. It means an attack that targets a vulnerability that even the vendor of the product doesn't know about.

    This took maybe five seconds to find using google; one of those seconds was to type "zero day" into the search box, and three were to wait for the page to load.
    ZDNet Gravatar
    Third of Five
    20th Sep 2010
  • More of the same
    Windows vulnerabilities are so many and varied they're not news anymore.

    Nothing to see here, moving on...
    ZDNet Gravatar
    OS Reload
    14th Sep 2010
  • Interesting how you say that...
    @OS Reload : ... when you cheer to high heaven when even a single exploit is claimed for OS X.

    Double standards -- you know?
    ZDNet Gravatar
    vulpine@...
    14th Sep 2010
  • Re: "Nothing to see here"
    @OS Reload:
    Please STFU, because every sysadmin (and almost every home PC user as well) needs to know about these things.

    I do, even though my personal machine is Mandriva Linux, and doesn't even HAVE a Windows partition on it.
    ZDNet Gravatar
    Rick S._z
    15th Sep 2010
  • RE: Stuxnet attackers used 4 Windows zero-day exploits
    You know that Microsoft Windows security is getting extremely good when attackers have to use 4 different vulnerabilities just to execute one attack. Since 2 of them are already patched that leaves 2 remaining and you can't pull this attack off with only half of them. Nice try worm writers but Microsoft won this battle once again.
    ZDNet Gravatar
    Loverock Davidson
    14th Sep 2010
  • Good read.
    It's interesting to see how more and more complex attacks like these grow.
    ZDNet Gravatar
    Cylon Centurion
    14th Sep 2010
  • And worrying that they managed to find so many exploits!
    @NStalnecker

    It would be foolish to assume that these particular malware authors have no more "zero day" exploits up their sleeves, given that they've shown themselves very capable in finding them.

    And with the two privilege escalation exploits still unpatched, any boasts about sandboxing have been rendered moot.
    ZDNet Gravatar
    Zogg
    14th Sep 2010
  • Mmm hmmm.
    @Zogg

    Unfortunately, these guys have evolved far beyond the script kiddies of yesteryear. It'll be interesting to see where this goes in the next 5-10 years.
    ZDNet Gravatar
    Cylon Centurion
    14th Sep 2010
  • RE: Stuxnet attackers used 4 Windows zero-day exploits
    I hope this patch fixes the problem well. And for those who say "Get mac or use Linux because they don't get viruses" should stop to think that maybe we use Windows because it meets our needs and changing systems is not an option as a result. Your not being helpful by being smug!
    ZDNet Gravatar
    mjl65
    14th Sep 2010
  • There is a solution
    put linux on your machine and run your Windows sandboxed in a vm. Then at least the damage is limited if it does happen and you can always restore your image to a known good point.
    ZDNet Gravatar
    frgough
    14th Sep 2010
  • RE: Stuxnet attackers used 4 Windows zero-day exploits
    @frgough

    A very good suggestion. Use Linux or Mac OS X for your general use, and Windows in a VM for the particular services that need it. That is what I do.
    ZDNet Gravatar
    jorjitop
    16th Sep 2010
  • And the performance hit
    is nothing compared to the resulting smugness high you receive.
    ZDNet Gravatar
    dgurney
    16th Sep 2010
  • RE: Stuxnet attackers used 4 Windows zero-day exploits
    Will you mental morons stop with the one-up-manship and get to the heart of the matter. I've known many people with multiple degrees, but they know squat about applying all that "book-learning" to real life. I readily admit you "gentlemen" have electronic knowledge that makes my knowledge of the field to be of "stone-age" quality, but your bantering makes me want to dump this Newsletter because you characters are not being helpful or respectful too yourselves or each other, and are certainly not being helpful to us "stone-age" people who are really trying to improve our understanding in this field so we can at least keep our personal "rock" computers from being blown to bits. So how about it, fellows; be helpful, or stay off the site yourselves.
    ZDNet Gravatar
    Tuggerofhearts
    14th Sep 2010
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources