A critical Windows vulnerability that was one of several exploited by the notorious Stuxnet worm as long ago as 2008 was not completely patched until just yesterday, a security researcher said.
Brian Gorenc, manager of vulnerability research at Hewlett-Packard's TippingPoint, blamed lax quality control at Microsoft for the oversight. "You would have expected that this would have been caught, especially with the [vulnerability's] visibility," said Gorenc, who also head TippingPoint's Zero Day Initiative (ZDI) bug bounty program.
The flaw in Windows was purportedly fixed in August 2010, when Microsoft issued an emergency update — often dubbed "out-of-band" or "out-of-cycle" to denote that it was released outside the usual Patch Tuesday schedule — but it did not entirely quash the bug, according to TippingPoint, a maker of intrusion detection products.
"The patch failed. And for more than four years, all Windows systems have been vulnerable to exactly the same attack that Stuxnet used for initial deployment," HP wrote in a Tuesday post.
Microsoft quashed the remaining exploit vector yesterday in one of the 14 security updates it released around 10 a.m. PT. In the accompanying advisory, however, Microsoft made no mention of the fact that it was shutting a barn door left open for more than four and a half years.
The original bug was related to Windows "shortcut" files, the placeholders typically dropped on the desktop, into the Start menu, or into folders to represent links to actual files or programs. Windows failed to correctly parse those shortcuts, identified by the ".lnk" extension, and hackers exploited the bug using USB flash drives. By crafting a malicious .lnk file, attackers were able to hijack a Windows PC with little user interaction: All that was necessary was that the user viewed the contents of the USB drive with a file manager like Windows Explorer.
Stuxnet, the worm reportedly crafted by U.S. and Israeli intelligence agencies, used that vulnerability, and at least three others, to infect control systems at Iran's nuclear fuel enrichment facilities. Experts believed that the worm was deployed in an attempt to slow or even cripple Iran's efforts to develop nuclear weapons.
The .lnk vulnerability and its USB-based attack approach, analysts and researchers surmised, was used to bridge the "air gap" between PCs connected to the Internet and those that ran the enrichment control systems. The latter would have been isolated from other computers for security purposes.
ZDI received a report from outside researcher Michael Heerklotz in early January that the earlier patch was flawed. As per its policy, ZDI forwarded information to Microsoft and withheld news of the vulnerability until the Redmond, Wash. company rolled out a fix.
Sign up for CIO Asia eNewsletters.