Microsoft patches broken Stuxnet fix, nearly five years later

On Tuesday, most of the public was focused on Microsoft’s patches for the FREAK vulnerability.

However, Redmond also pushed a fix that addresses a problem with a patch released in 2010, which left users exposed to one of the core vulnerabilities that enabled Stuxnet.

MS15-020 (rated critical by Microsoft) impacts all supported versions of Windows, from Vista and Windows Server 2003, to Windows 8.1 and Server 2012 R2.

Stuxnet was discovered in June of 2010. The worm targeted zero-day flaws in Windows, as well as PLCs (programmable logic controllers) in Iran. It’s arguably the first, and most famous example of government-developed malware. Its creation is said to have been a joint operation between Israel and the United States.

The flaw leveraged by Stuxnet allowed .LNK files, which are what define shortcuts to other files or directories, to use custom icons from .CPL (Control Panel) files.

“The problem is that in Windows, icons are loaded from modules (either executables or dynamic link-libraries). In fact, .CPL files are actually DLLs. Because an attacker could define which executable module would be loaded, an attacker could use the .LNK file to execute arbitrary code inside of the Windows shell and do anything the current user could,” wrote Dave Weinstein in an HP TippingPoint report on this month’s patch.

However, outside of the nuclear targets in Iran, Stuxnet also exposed computers across the globe to attacks leveraging the same zero-day flaws. As a result, Microsoft issued MS10-046 in August 2010.

The fix created a whitelist, which in theory would only allow approved .CPL files to be used to load non-standard icons for links.

“The patch failed. And for more than four years, all Windows systems have been vulnerable to exactly the same attack that Stuxnet used for initial deployment,” Weinstein added.

HP TippingPoint has a complete workup on the recent patch, including an overview of why the original patch failed.

“Microsoft has gone to a great deal of effort to make exploitation of memory corruption bugs more difficult. This is a classic example of the Defender’s Dilemma — the defender must be strong everywhere, while the attacker needs to find only one mistake,” Weinstein concluded.

Update:

A Microsoft spokesperson sent the following statement after this story initially ran.

“This is a new vulnerability that required a new security update. Microsoft released a comprehensive security fix in 2010 to address the vulnerability the Stuxnet virus exploited. As technology is always changing, so are the tactics and techniques of cybercriminals. It is an unfortunate reality of today’s interconnected world that some people and organizations seek to disrupt technology and steal information for nefarious purposes. We will continue to stand guard against any attempts to exploit our products and do what is necessary to help further protect our customers.”