Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Has No Plans To Patch New Flaw

Posted by timothy on from the who-uses-usb-drives-anyhow dept.

Trailrunner7 writes "Microsoft has acknowledged the vulnerability that the new malware Stuxnet uses to launch itself with .lnk files, but said it has no plans to patch the flaw right now. The company said the flaw affects most current versions of Windows, including Vista, Server 2008 and Windows 7 32- and 64-bit. Meanwhile, the digital certificate that belonging to Realtek Semiconductor that was used to sign a pair of drivers for the new Stuxnet rootkit has been revoked by VeriSign. The certificate was revoked Friday, several days after news broke about the existence of the new malware and the troubling existence of the signed drivers."

5 of 217 comments (clear)

  1. Re:Source? by alexhs · · Score: 5, Informative

    there is no link here to any article that claims Microsoft has no plans to patch the flaw.

    To be fair the summary states

    it has no plans to patch the flaw right now

    Which is in the 2nd link actually.

    Microsoft said it is investigating the flaw and looking at possible solutions, however there was no clear indication that the company intends to patch the flaw in the near future.

    Well, from that quote to the summary, there is quite a stretch, but what did you expect ?

    --
    I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
  2. Re:Was there a point to this? by 0123456 · · Score: 5, Informative

    Do you propose a better model?

    Yes, don't trust anything unless you absolutely have to. In user land, for example, we have SELinux and Apparmor to prevent applications from accessing things they shouldn't; protecting the kernel is obviously harder.

    How about the Linux model, where if the user decides to load it then it can do absolutely anything with the system?

    Generally speaking, Linux drivers are only installed if signed by the distro repository, and you have to trust that key: if it's compromised you're toast. Windows has three bazillion drivers signed by three bazillion keys and only one needs to be compromised.

    Nor will Linux drivers be loaded automatically from a random USB key just because you browsed there.

  3. Re:Who fault is it? by causality · · Score: 5, Informative

    But to blame this one of Microsoft is assinine, how were they supposed to do anything different?

    Do you have any familiarity whatsoever with this situation?

    Windows has an acknowledged flaw/vunlerability related to its handling of .lnk files (shortcuts). That flaw is being exploited to install this malicious driver. The problem has been greatly compounded by the fact that the driver is signed by a previously-trusted private key, but this is not the original flaw. Normally the act of merely plugging in a USB thumbdrive does not immediately install system software such as device drivers. It is that acknowledged .lnk flaw that makes this possible.

    If you can install a hardware driver with an exploit, you can also install a worm, rootkit, etc. This attack happens to install a device driver. If Realtek's private key had never been compromised, then instead of installing a malicious device driver, you'd have Windows users plugging in infected USB thumbdrives and immediately becoming members of botnets. The flaw is in the Windows system and its handling of shortcut files.

    It is that flaw and only that flaw for which Microsoft is being blamed.

    I suppose Microsoft could release a Windows update that revokes trust for any cert signed by VeriSign

    Why would they do that when Verisign can revoke only this specific Realtek cert? In fact that's exactly what they have done.

    Seriously. Did you even bother to read the summary? At all? I'll quote it for you. This is the summary, verbatim:

    "Microsoft has acknowledged the vulnerability that the new malware Stuxnet uses to launch itself with .lnk files, but said it has no plans to patch the flaw right now. The company said the flaw affects most current versions of Windows, including Vista, Server 2008 and Windows 7 32- and 64-bit. Meanwhile, the digital certificate that belonging to Realtek Semiconductor that was used to sign a pair of drivers for the new Stuxnet rootkit has been revoked by VeriSign. The certificate was revoked Friday, several days after news broke about the existence of the new malware and the troubling existence of the signed drivers."

    Emphasis is mine. Now go clean the egg off your face.

    --
    It is a miracle that curiosity survives formal education. - Einstein
  4. Re:Certificate revoked by arth1 · · Score: 5, Informative

    The certificate was revoked.

    Does it mean I need to update my drivers from Realtek, otherwise it spits them out?

    No. Windows' security model only checks the certificate during install.

    And even so, it doesn't update the revocation list automatically on install, nor does it check with OCSP; you won't get the revocation certificate unless you specifically install "Root certificate updates" through Microsoft Update, which is usually is found on the "optional" installs. So chances are that a lot of people will be able to install this malware in the future too.

  5. Re:Certificate revoked by mosschops · · Score: 5, Informative

    Windows' security model only checks the certificate during install.

    64-bit versions of Vista and Windows 7 require a valid Class 3 code signing certificate to load the driver, not just on installation. Revoking that certificate will stop the devices from working, as the parent poster suspected. Though it may not be the same certificate for all Realtek uses.