Second Tuesday comes but one a month, but when it comes, drop everything and patch. Especially when Microsoft's Patch Tuesday bundle contains doozies such as this.
One of the patches is a fix for a Stuxnet vulnerability. Yes, that Stuxnet. It turns out that Microsoft failed to properly patch it, almost five years ago.
In IT Blogwatch, bloggers point and laugh.
Your humble blogwatcher curated these bloggy bits for your entertainment (updated 12.15pm PDT).
Sean Michael Kerner reports:
Microsoft released...a fix for a flaw that enabled the notorious Stuxnet attack. [We] thought the vulnerability had been fixed back in 2010.
The vulnerability [is] CVE-2010-2568, which was thought to have been patched...in October 2010 [but the] HP Zero Day Initiative...has discovered that...the underlying vulnerability has remained exploitable the whole time. ... A new identifier has been assigned...CVE 2015-0096 to encompass the expanded impact.
The discovery...was conducted by researcher Michael Heerklotz, who sold the research to [HP]. MORE
Michael "5HD" Heerklotz speaks:
Today, HP ZDI has published a detailed description of the first vulnerability I discovered this year.
I found this vulnerability after reading the amazing book “Countdown to Zero Day.” MORE
HP's Dave Weinstein fills us in:
To understand the significance...we need to go back to the last decade. In mid-2009, Stuxnet was released against the Iranian nuclear program. [It] used multiple zero-day attacks...to attack the Iranian centrifuges. ... Attacks included in Stuxnet were in use as early as 2008. The initial infection vector was a USB drive. ... A vulnerability...allowed simply browsing to a directory to run arbitrary code...and do anything the current user could. ... Microsoft put in an explicit whitelist check with MS10-046, released in early August 2010.
The patch failed. And for more than four years, all Windows systems have been vulnerable. ... This bug has its roots in the decades-old decision to load icons by loading executable modules. ... This is a classic example of the Defender’s Dilemma -- the defender must be strong everywhere, while the attacker needs to find only one mistake. MORE
But Brian Krebs cycles in to say this: [You're fired -Ed.]
Microsoft today shipped a bundle of security updates to address more than three dozen vulnerabilities. ... Includ[ing] a fix for...the very same vulnerability that led to...Stuxnet. Turns out, the patch...to fix that flaw in 2010 didn’t quite do the trick, leaving Windows users dangerously exposed all this time
That vulnerability — first revealed [by Krebs] — was later discovered to have been one of four zero-day flaws used in Stuxnet...now widely considered to have been a joint U.S. and Israeli project.
Two other patches address...the Superfish malware and the FREAK SSL vulnerability. ... the FREAK vulnerability is thought to stem from efforts by the [NSA] to weaken encryption. ... For the first time in a while, there are no fixes from Adobe...although one of the critical patches...addresses a dangerous bug in the Adobe Font Driver. MORE
And Dan Goodin is good in ed:
"Whether this is being used in the wild over time remains to be seen," said Brian Gorenc, the lead researcher with [ZDI]. "It's hard to believe that somebody didn't know about this bug prior to it being patched today."
A blog post...makes an oblique reference to in-the-wild exploits. MORE
Oh! It does? Dan must mean this, from HP's S. Povolny:
Rumors point to this failed patch being exploited publicly. [We're] in the same position as we were with Stuxnet. MORE
Update: Someone from Microsoft dare not put their name to this PR drawer-statement:
This is a new vulnerability that required a new security update. Microsoft released a comprehensive security fix in 2010 to address the vulnerability the Stuxnet virus exploited.
Technology is always changing...cybercriminals...unfortunate reality...interconnected world...disrupt technology...steal information...nefarious purposes...protect our customers. MORE
You have been reading IT Blogwatch by Richi Jennings, who curates the best bloggy bits, finest forums, and weirdest websites… so you don't have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or firstname.lastname@example.org. Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.