A critical Windows vulnerability that was one of several exploited by the notorious Stuxnet worm as long ago as 2008 was not completely patched until just yesterday, a security researcher said.
Brian Gorenc, manager of vulnerability research at Hewlett-Packard's TippingPoint, blamed lax quality control at Microsoft for the oversight. "You would have expected that this would have been caught, especially with the [vulnerability's] visibility," said Gorenc, who also head TippingPoint's Zero Day Initiative (ZDI) bug bounty program.
The flaw in Windows was purportedly fixed in August 2010, when Microsoft issued an emergency update -- often dubbed "out-of-band" or "out-of-cycle" to denote that it was released outside the usual Patch Tuesday schedule -- but it did not entirely quash the bug, according to TippingPoint, a maker of intrusion detection products.
"The patch failed. And for more than four years, all Windows systems have been vulnerable to exactly the same attack that Stuxnet used for initial deployment," HP wrote in a Tuesday post.
Microsoft quashed the remaining exploit vector yesterday in one of the 14 security updates it released around 10 a.m. PT. In the accompanying advisory, however, Microsoft made no mention of the fact that it was shutting a barn door left open for more than four and a half years.
Instead, a Microsoft spokesperson called the bug "a new vulnerability that required a new security update" in an emailed statement.
"As technology is always changing, so are the tactics and techniques of cybercriminals," the spokesperson continued. "It is an unfortunate reality of today’s interconnected world that some people and organizations seek to disrupt technology and steal information for nefarious purposes."
The original bug was related to Windows "shortcut" files, the placeholders typically dropped on the desktop, into the Start menu, or into folders to represent links to actual files or programs. Windows failed to correctly parse those shortcuts, identified by the ".lnk" extension, and hackers exploited the bug using USB flash drives. By crafting a malicious .lnk file, attackers were able to hijack a Windows PC with little user interaction: All that was necessary was that the user viewed the contents of the USB drive with a file manager like Windows Explorer.
Stuxnet, the worm reportedly crafted by U.S. and Israeli intelligence agencies, used that vulnerability, and at least three others, to infect control systems at Iran's nuclear fuel enrichment facilities. Experts believed that the worm was deployed in an attempt to slow or even cripple Iran's efforts to develop nuclear weapons.
The .lnk vulnerability and its USB-based attack approach, analysts and researchers surmised, was used to bridge the "air gap" between PCs connected to the Internet and those that ran the enrichment control systems. The latter would have been isolated from other computers for security purposes.
ZDI received a report from outside researcher Michael Heerklotz in early January that the earlier patch was flawed. As per its policy, ZDI forwarded information to Microsoft and withheld news of the vulnerability until the Redmond, Wash. company rolled out a fix.
Gorenc was critical of Microsoft's omission four years ago. "Considering the number of eyes that have looked at that code and the patch, it's surprising that it actually existed," Gorenc said. "It proves that they're not analyzing the patches as much as we thought."
He also noted that exploits were able to sidestep Windows' defenses, including ASLR (address space layout randomization). "It's definitely interesting to see that researchers [like Heerklotz] are interested in looking for arbitrary code execution where memory corruption defenses in Windows are ineffective," Gorenc said in an interview. "All you have to do is browse to a folder on a malicious site and you'll execute code. It's a very silent way to get into a system."
Microsoft said it had no evidence that Heerklotz's findings had been used in actual attacks. "When this security bulletin was originally issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers," the MS15-020 bulletin said.
While Gorenc had no proof to the contrary, he implied that others -- including cyber criminals -- may also have dug into the 2010 patch, possibly long ago. "Clearly, people have been looking at the code base and looking for ways to bypass the validation check," he said of the original fix's approach. "It's hard to believe that it went undiscovered until now."
All supported versions of Windows, from Windows Server 2003 -- which will be retired in July -- to the latest Windows 8.1, contained the errant patch, and so must be re-patched with yesterday's update.
Gorenc confirmed that MS15-020 plugged the hole Heerklotz found, at least in the versions of Windows that ZDI was able to check. Because Microsoft no longer issues public patches for Windows XP -- it dropped off the support list in April 2014 -- but does provide critical updates to corporate customers who have paid for custom post-retirement support, his team was unable to verify the efficacy of any XP fix.
Windows XP did receive the 2010 update -- designated as MS10-046 -- and is virtually guaranteed to have the flaw discovered by Heerklotz.
The silver lining in this, Gorenc said, is that researchers were taking second, third and maybe even more looks at Microsoft's patches. "But it's a pretty amazing find," he said.