READ THIS: Ducksboard: The unique story of how one startup went from closure to buy-out with a single email

Stuxnet attackers used 4 Windows zero-day exploits

Follow via:
RSS
Email Alert

Stuxnet attackers used 4 Windows zero-day exploits

Summary: The attackers behind the recent Stuxnet worm attack used four different zero-day security vulnerabilities to burrow into -- and spread around -- Microsoft's Windows operating system.

By Ryan Naraine for Zero Day | September 14, 2010 -- 11:18 GMT (04:18 PDT)

Follow @ryanaraine

TOPICS: Windows, Microsoft, Operating Systems, Security, Software

By Ryan Naraine for Zero Day | September 14, 2010 -- 11:18 GMT (04:18 PDT)

The attackers behind the recent Stuxnet worm attack used four different zero-day security vulnerabilities to burrow into -- and spread around -- Microsoft's Windows operating system, according to a startling disclosure from the world's largest software maker.

Two of the four vulnerabilities are still unpatched.

As new details emerge to shine a brighter light on the Stuxnet attack, Microsoft said the attackers initially targeted the old MS08-067 vulnerability (used in the Conficker attack), a new LNK (Windows Shortcut) flaw to launch exploit code on vulnerable Windows systems and a zero-day bug in the Print Spooler Service that makes it possible for malicious code to be passed to, and then executed on, a remote machine.

The malware also exploited two different elevation of privilege holes to gain complete control over the affected system. These two flaws are still unpatched.

Kaspersky Lab (disclosure: my employer) discovered two of the three new zero-days and worked closely with Microsoft during the research and patch-creation process.

As attacks escalate, Microsoft ships emergency Windows patch

As part of today's Patch Tuesday releases, Microsoft shipped MS10-061 with a fix for the Print Spooler Service Impersonation flaw. This update is rated "critical" for all supported versions of Windows.

The LNK vulnerability was patched with an emergency fix in August 2010.

Patches for the two elevation-of-privilege flaws are still outstanding.

According to Kaspersky Lab's Alexander Gostev, the Stuxnet attack was one of a kind.

"The fact that Stuxnet targets not four previously unidentified vulnerabilities makes the worm a real standout among malware," Gostev said.

"It's the first time we’ve come across a threat that contains so many 'surprises'," Gostev added, noting that the worm also used signed digital certificates stolen from RealTek and JMicron and also exploited security problems in the Simatic WinCC SCADA systems.

"Stuxnet was undoubtedly created by professionals who’ve got a thorough grasp of antivirus technologies and their weaknesses, as well as information about as yet unknown vulnerabilities and the architecture and hardware of WinCC and PSC7," Gostev added.

There have been rumblings that Stuxnet may be linked to nation-state cyber-attacks.

Topics: Windows, Microsoft, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

39 comments

Log in or register to join the discussion

RE: Stuxnet attackers used 4 Windows zero-day exploits

Which versions of Windows (XP, Vista, Win7, server versions) and which platforms (32bit, 64bit) are vulnerable if completely unpatched?

Also, if you have the two already provided patches installed, are you still vulnerable to this issue or are you relatively safe from this particular implementation of the attack?

PollyProteus
14 September, 2010 12:09

Reply Vote
- You mean they attacked with made-up terms?
  
  More ZDNet crap: "zero day". WTF is that supposed to mean? They've been troweling this out for YEARS with no explanation.
  
  Yeah, to make up for ignorance, the best thing to do is create fake terms and then use them over and over and over despite being called on it.
  
  Piss off, ZD.
  
  dgurney
  16 September, 2010 20:51
  
  Reply Vote
  - RE: Stuxnet attackers used 4 Windows zero-day exploits
    
    @dgurney They didn't make that term up; it's been around for a long while. It means an attack that targets a vulnerability that even the vendor of the product doesn't know about.
    
    This took maybe five seconds to find using google; one of those seconds was to type "zero day" into the search box, and three were to wait for the page to load.
    
    Third of Five
    20 September, 2010 08:35
    
    Reply Vote
More of the same

Windows vulnerabilities are so many and varied they're not news anymore.

Nothing to see here, moving on...

OS Reload
14 September, 2010 12:22

Reply Vote
- Interesting how you say that...
  
  @OS Reload : ... when you cheer to high heaven when even a single exploit is claimed for OS X.
  
  Double standards -- you know?
  
  Vulpinemac
  14 September, 2010 12:57
  
  Reply Vote
- Re: "Nothing to see here"
  
  @OS Reload:
  Please STFU, because every sysadmin (and almost every home PC user as well) needs to know about these things.
  
  I do, even though my personal machine is Mandriva Linux, and doesn't even HAVE a Windows partition on it.
  
  Rick S._z
  15 September, 2010 09:12
  
  Reply Vote
RE: Stuxnet attackers used 4 Windows zero-day exploits

You know that Microsoft Windows security is getting extremely good when attackers have to use 4 different vulnerabilities just to execute one attack. Since 2 of them are already patched that leaves 2 remaining and you can't pull this attack off with only half of them. Nice try worm writers but Microsoft won this battle once again.

Loverock Davidson
14 September, 2010 13:01

Reply Vote
Good read.

It's interesting to see how more and more complex attacks like these grow.

The one and only, Cylon Centurion
14 September, 2010 13:42

Reply Vote
- And worrying that they managed to find so many exploits!
  
  @NStalnecker
  
  It would be foolish to assume that these particular malware authors have no more "zero day" exploits up their sleeves, given that they've shown themselves very capable in finding them.
  
  And with the two privilege escalation exploits still unpatched, any boasts about sandboxing have been rendered moot.
  
  Zogg
  14 September, 2010 16:22
  
  Reply Vote
  - Mmm hmmm.
    
    @Zogg
    
    Unfortunately, these guys have evolved far beyond the script kiddies of yesteryear. It'll be interesting to see where this goes in the next 5-10 years.
    
    The one and only, Cylon Centurion
    14 September, 2010 18:16
    
    Reply Vote
RE: Stuxnet attackers used 4 Windows zero-day exploits

I hope this patch fixes the problem well. And for those who say "Get mac or use Linux because they don't get viruses" should stop to think that maybe we use Windows because it meets our needs and changing systems is not an option as a result. Your not being helpful by being smug!

mjl65
14 September, 2010 17:33

Reply Vote
- There is a solution
  
  put linux on your machine and run your Windows sandboxed in a vm. Then at least the damage is limited if it does happen and you can always restore your image to a known good point.
  
  frgough
  14 September, 2010 17:51
  
  Reply 1 Vote
  - RE: Stuxnet attackers used 4 Windows zero-day exploits
    
    @frgough
    
    A very good suggestion. Use Linux or Mac OS X for your general use, and Windows in a VM for the particular services that need it. That is what I do.
    
    jorjitop
    16 September, 2010 06:30
    
    Reply Vote
  - And the performance hit
    
    is nothing compared to the resulting smugness high you receive.
    
    dgurney
    16 September, 2010 20:53
    
    Reply Vote
RE: Stuxnet attackers used 4 Windows zero-day exploits

Will you mental morons stop with the one-up-manship and get to the heart of the matter. I've known many people with multiple degrees, but they know squat about applying all that "book-learning" to real life. I readily admit you "gentlemen" have electronic knowledge that makes my knowledge of the field to be of "stone-age" quality, but your bantering makes me want to dump this Newsletter because you characters are not being helpful or respectful too yourselves or each other, and are certainly not being helpful to us "stone-age" people who are really trying to improve our understanding in this field so we can at least keep our personal "rock" computers from being blown to bits. So how about it, fellows; be helpful, or stay off the site yourselves.

Tuggerofhearts
14 September, 2010 19:06

Reply Vote
But Windows is so much more safer than OSX.

OSX get's totally owned yearly during the Pwn2own contest at a security conference in Vancouver. So this report is obviously debunked due to the seriousness of that contest.

ashdude
14 September, 2010 21:52

Reply Vote
- I don't recall anyone saying Windows is safer than OS X.
  
  @ashdude: With it's low market share OS X is currently safer than Windows.
  
  ye
  15 September, 2010 05:35
  
  Reply Vote
  - I believe Miller said
    
    that OS X is safer than Windows, but windows was far more secure.
    
    rtk
    15 September, 2010 14:25
    
    Reply Vote
Siding with Cyberslammer

I'm afraid I'm going to have to side with cyberslammer on this one. Not because he's an arrogant prick (which he is) but because he's right. @SonofaSailer You quizzed Cyberslammer on his previous posts on this site. Your first point was that he says that he used Windows in one post and then condemned Windows in another post. That's fine, personally I use Linux however I do use Windows for security testing etc. Also whoever is saying that there are two patched vulns patched and this somehow makes it harder for the worm to propagate is wrong. If it's a good vuln you only need one for it to work. My guess is that the Malware author used multiple vulns to either disguise the worm or to make it that much harder to patch (which evidentally has worked). At the end of the day, both Linux and Mac OSX are much more secure as a whole. That is when you take it in the context of the number of really dangerous exploits that exist and are being exploited in the wild, then Windows is much, much less secure than Linux and Mac OSX. 
However if you take out of the equation that the majority of malware research is done on Windows and the fact that the average Windows user is a dumb **** then Linux, Mac OSX and Windows all have the same security level.

Alias14
15 September, 2010 03:55

Reply Vote
- What is he right about?
 
 @Alias14: I'm afraid I'm going to have to side with cyberslammer on this one. Not because he's an arrogant prick (which he is) but because he's right. So far the only thing I've seen from him are ad homs against LD. I saw no attempt to disprove what LD had written. And I've gone back and re-read the post LD made which caused Cyberslammer to begin his ad hom attacks. And for the life of me I can't find anything wrong with what LD said. Also whoever is saying that there are two patched vulns patched and this somehow makes it harder for the worm to propagate is wrong. How? The worm LD referred to requires these two vulnerabilities to function. Since they're patched why do you think this worm, in its current form, would continue to function? My guess is that the Malware author used multiple vulns to either disguise the worm or to make it that much harder to patch (which evidentally has worked). Your guess? So you don't know? According to the description the use of multiple vulnerabilities was done to make the worm work.
 
 ye
 15 September, 2010 05:28
 
 Reply Vote

The best of ZDNet, delivered

Facebook Activity

White Papers, Webcasts, & Resources

Stakeholder Perceptions Become Your Project Reality

This white paper points up how important it is for project managers to set expectations and communicate regularly with stakeholders to ensure that their expectations don't change. You'll be surprised at the positive effect of simple communication on your next project.
Secrets to Better Engage the Mobile Consumer: The Role of Push Notifications

Read this research report to get secrets on how targeted push notifications can generate unprecedented levels of engagement with customers wherever they are.
15 Ways to Build Loyalty and Drive More Revenue After the Purchase

Many businesses neglect existing, one-time customers in favor of increasing new business. Download this ebook and get examples of fifteen post-purchase emails that will inspire contacts to buy again and become brand advocates.

White Papers, Webcasts, & Downloads

White Papers | Global Knowledge

Stakeholder Perceptions Become Your Project Reality

This white paper points up how important it is for project managers to set expectations and communicate regularly with stakeholders to ensure that their expectations don't change. You'll be surprised at the positive effect of simple communication on your next project.

Research | IBM

Secrets to Better Engage the Mobile Consumer: The Role of Push Notifications

eBooks | IBM

15 Ways to Build Loyalty and Drive More Revenue After the Purchase

eBooks | IBM

A Smarter Approach: Inside IBM Business Analytics Solutions for Mid-Size Businesses

White Papers | Global Knowledge Stakeholder Perceptions Become Your Project Reality

White Papers, Webcasts, & Downloads

White Papers | Global Knowledge Stakeholder Perceptions Become Your Project Reality

Research | IBM Secrets to Better Engage the Mobile Consumer: The Role of Push Notifications

eBooks | IBM 15 Ways to Build Loyalty and Drive More Revenue After the Purchase

White Papers | Global Knowledge Stakeholder Perceptions Become Your Project Reality

Research | IBM Secrets to Better Engage the Mobile Consumer: The Role of Push Notifications

eBooks | IBM 15 Ways to Build Loyalty and Drive More Revenue After the Purchase

White Papers, Webcasts, & Downloads

White Papers | Global Knowledge

Stakeholder Perceptions Become Your Project Reality

Research | IBM

Secrets to Better Engage the Mobile Consumer: The Role of Push Notifications

Read this research report to get secrets on how targeted push notifications can generate unprecedented levels of engagement with customers wherever they are.

eBooks | IBM

15 Ways to Build Loyalty and Drive More Revenue After the Purchase

Many businesses neglect existing, one-time customers in favor of increasing new business. Download this ebook and get examples of fifteen post-purchase emails that will inspire contacts to buy again and become brand advocates.

White Papers, Webcasts, & Downloads

White Papers | Global Knowledge

Stakeholder Perceptions Become Your Project Reality

Research | IBM

Secrets to Better Engage the Mobile Consumer: The Role of Push Notifications

Read this research report to get secrets on how targeted push notifications can generate unprecedented levels of engagement with customers wherever they are.

eBooks | IBM

15 Ways to Build Loyalty and Drive More Revenue After the Purchase

eBooks | IBM

A Smarter Approach: Inside IBM Business Analytics Solutions for Mid-Size Businesses

Read this eBook to discover why IBM is at the forefront of the movement to bring big data approaches right onto the desktops of mid-sized businesses. With straightforward, powerful tools IBM can help any business take a smarter approach to analytics and data-driven management