Stuxnet Attacks Used 4 Windows Zero-Day Exploits

← Back to Stories (view on slashdot.org)

Stuxnet Attacks Used 4 Windows Zero-Day Exploits

Posted by CmdrTaco on Tuesday September 14, 2010 @08:00AM from the i'll-exploit-you dept.

abadnog writes "The attackers behind the recent Stuxnet worm attack used four different zero-day security vulnerabilities to burrow into — and spread around — Microsoft's Windows operating system, according to a startling disclosure from Microsoft. Two of the four vulnerabilities are still unpatched. Microsoft said the attackers initially targeted the old MS08-067 vulnerability (used in the Conficker attack), a new LNK (Windows Shortcut) flaw to launch exploit code on vulnerable Windows systems and a zero-day bug in the Print Spooler Service that makes it possible for malicious code to be passed to, and then executed on, a remote machine. The malware also exploited two different elevation of privilege holes to gain complete control over the affected system."

67 comments

Min score:

Reason:

Sort:

Zero Day? by Anonymous Coward · 2010-09-14 08:06 · Score: 1, Interesting

How can a vulnerability that Microsoft had patched a very long time ago (MS08-067) be called a zero-day? They actually had this patched through Windows Update before Conficker became the big epidemic it did. Systems with automatic update turned off were the cause for most of the Conficker problems.
1. Re:Zero Day? by CannonballHead · 2010-09-14 08:08 · Score: 4, Insightful
  
  define: zero day
  Pertaining to the day on which software is released; New; as yet unpatched
  So it sounds like zero day means that it was present in the unpatched version?
  That said, the summary says nothing about patched vs. unpatched. There would be a great outcry if a vulnerability in Linux/OSS was exploited, even though that vulnerability was already patched, and the summary failed to mention that the only reason it was exploited was because the system was NOT patched...
2. Re:Zero Day? by CannonballHead · 2010-09-14 08:09 · Score: 1
  
  (zero-day can also mean an unpatched bug I guess, too. weird.)
3. Re:Zero Day? by dch24 · 2010-09-14 08:29 · Score: 2, Interesting
  
  The exploits used unpatched bugs.
  
  That said, if this is the work of well-funded terrorists, they are probably well funded enough to have access to the Windows source code. Yes, yes, Microsoft doesn't disclose the entire code base for their OS. The parts that were exploited (like the print spooler) are probably considered "not high enough risk" and so are disclosed to governments far and near.
  
  In fact, the only guys playing catch-up seem to be the anti-virus writers.
4. Re:Zero Day? by TheRedDuke · 2010-09-14 08:51 · Score: 2, Insightful
  
  Just because MS releases a patch doesn't mean that users apply said patch.
5. Re:Zero Day? by amicusNYCL · 2010-09-14 09:04 · Score: 1
  
  So "zero-day" now means "unpatched bug", instead of the original meaning where the vulnerability was being exploited the same day it was discovered? The term "zero-day" now has no temporal meaning, then?
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
6. Re:Zero Day? by dch24 · 2010-09-14 09:12 · Score: 2, Interesting
  
  Actually I was responding to his specific question: "How can a vulnerability that Microsoft had patched a very long time ago (MS08-067) be called a zero-day?"
  
  In response to your question, no, I don't define "zero-day" to mean "unpatched bug". I define it to mean "exploit found using unpatched bug in the wild on the day it is first reported to a security researcher (preferred), or else vendor (not ideal, as they have less incentive to disclose all important details)"
7. Re:Zero Day? by GrumpySteen · 2010-09-14 09:15 · Score: 4, Informative
  
  A zero-day vulnerability is widely recognized to be a vulnerability that is found only because it's being exploited, which is how the four vulnerabilities appear to have been discovered. I suspect that the author of the article reasoned that a zero-day vulnerability remains a zero-day vulnerability even after a patch is available for it.
  I don't think there's any guidelines for when, if ever, an exploit stops being called a zero-day vulnerability and becomes just a normal one.
8. Re:Zero Day? by Anonymous Coward · 2010-09-14 09:34 · Score: 2, Informative
  
  TFS lists 5 vulnerabilities, one identified as old (MS08-067). What gives you the impression that they are calling the known exploit a zero day instead of the remaining four (previously undisclosed) that they list ? Generally when being pedantic it's best to ensure you aren't making a more obvious error.
9. Re:Zero Day? by shmlco · 2010-09-14 09:55 · Score: 1
  
  "That said, if this is the work of well-funded terrorists, they are probably well funded enough to have access to the Windows source code. "
  So in other words, having source access made the problem worse....
  
  --
  Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
10. Re:Zero Day? by Anonymous Coward · 2010-09-14 10:04 · Score: 1, Insightful
  
  When you rely on security by obfuscation, yes, it does become easier when you take away the obfuscation. Best to not rely on that when it isn't reliable.
11. Re:Zero Day? by NatasRevol · 2010-09-14 10:23 · Score: 4, Informative
  
  No, it can't. The article may use it that way, but it is incorrect.
  zero-day means that there is a hack before there is knowledge or, obviously, a fix of it.
  http://en.wikipedia.org/wiki/Zero-day_attack
  
  --
  There are two types of people in the world: Those who crave closure
12. Re:Zero Day? by NatasRevol · 2010-09-14 10:25 · Score: 3, Insightful
  
  It stops being called a zero-day vulnerability... once there's a patch out. Just because a patch is or isn't used doesn't change that.
  
  --
  There are two types of people in the world: Those who crave closure
13. Re:Zero Day? by CannonballHead · 2010-09-14 10:44 · Score: 1
  
  Someone should tell wiktionary.
14. Re:Zero Day? by John+Hasler · 2010-09-14 11:04 · Score: 1
  
  > So in other words, having source access made the problem worse....
  A small set of privileged people (not the users) having source access made the problem worse. That's pretty much the definition of closed source, isn't it?
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
15. Re:Zero Day? by sjames · 2010-09-14 13:41 · Score: 1
  
  Currently, zero-day is an adjective that may be applied to any exploit (including very old exploits for which a patch has been available more than a year but never applied) including good old social engineering whenever a reporter needs to sound more authoritative or wizardy. Now we're just waiting for the -1 day exploit where due to causality violations, affected systems contact the hackers for instructions before the exploit is actually discovered.
16. Re:Zero Day? by Lord+Ender · 2010-09-14 15:21 · Score: 1
  
  In the context of security, a zero-day vulnerability is a vulnerability for which no patch exists.
  
  --
  A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
17. Re:Zero Day? by turbidostato · 2010-09-14 16:22 · Score: 1, Insightful
  
  "In the context of security, a zero-day vulnerability is a vulnerability for which no patch exists"
  References?
  I bet that a exploit against a known vulnerability is not a "zero-day" attack no matter if there's still no patch.
  But I wouldn't be surprised if software companies, especifically closed source software companies tried to change it to mean "no patch still delivered" of "before our monthly patch Thursday" since "zero-day attack" seems to imply the software vendor really couldn't do any better: another PR trick.
18. Re:Zero Day? by molecular · 2010-09-14 19:56 · Score: 1
  
  nah, after one day, it's a one-day.
19. Re:Zero Day? by Jurily · 2010-09-14 23:11 · Score: 1
  
  I always used the meaning "there was an attack on the day of release". Shame it became such a cool phrase it doesn't mean anything anymore.
20. Re:Zero Day? by BlackBloq · 2010-09-15 00:12 · Score: 1
  
  Zero day originally referred to software that was out for zero days before it was released for pirating. Then it mutated.
21. Re:Zero Day? by BlackBloq · 2010-09-15 11:00 · Score: 1
  
  Zero day originally referred to software that was out for zero days before it was released for pirating. Then it mutated. Dude.
22. Re:Zero Day? by amicusNYCL · 2010-09-15 11:54 · Score: 1
  
  Ah, the good old days. Some light warez browsing on the local BBS, followed by a couple games of Legend of the Red Dragon, Usurper, maybe even The Pit.
  Zero-day was definitely used to describe several exploits in the early days though, not just warez.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
23. Re:Zero Day? by Lord+Ender · 2010-09-16 07:42 · Score: 2, Informative
  
  Reference: common, universally-accepted infosec lingo.
  An zero-day exploit is an exploit which works against a zero-day vulnerability. As soon as a patch is released (day 1) neither the exploit nor the vulnerability are "zero-day" anymore.
  
  --
  A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
24. Re:Zero Day? by turbidostato · 2010-09-16 13:15 · Score: 1
  
  "As soon as a patch is released (day 1) neither the exploit nor the vulnerability are "zero-day" anymore."
  That's neither common sense nor INFOSEC slang. Try that:
  "As soon as a *day* has passed (day 1) neither the exploit nor the vulnerability are "zero-day" anymore."
  *That* is common sense.
  And regarding InfoSec, as old as 2003 you will find definitions like this*1:
  "FYI, I define zero-day exploits as exploits that were used to actually
  compromise a system ("in the wild") before the vulnerability was known
  to exist by most security professionals (not published on public
  security mailing lists - CERT, Bugtraq, Full Disclosure, Vendors,
  etc.)."
  See? No reference about patching and, by inference, once the vulnerability is "published on public
  security mailing lists - CERT, Bugtraq, Full Disclosure, Vendors, etc.", once the vulnerability is publicly known, in other words, it can't be a zero-day exploit (it's day zero anymore!).
  Of course, software vendors try to stretch the definition to their convenience: "everybody knows" that's impossible to cover from a zero-day exploit directly at the application level so if an attact is the result of a "zero-day exploit" instead of "a bug that went unpatched for weeks" they appear as less guilty.
  As I already said, PR in action.
  *1 http://www.mail-archive.com/isn%40attrition.org/msg02376.html
Well, at least by by+(1706743) · 2010-09-14 08:07 · Score: 4, Funny

...zero-day bug in the Print Spooler Service...
it won't affect the iPad!

Yeah, yeah, -1 Troll, -1 Flamebait, -1 Offtopic...
1. Re:Well, at least by Anonymous Coward · 2010-09-14 08:09 · Score: 0
  
  Yeah, but +1 Microsoft bashing, +1 Apple fan boy, +1 Snarky, +1 First...
2. Re:Well, at least by Anonymous Coward · 2010-09-14 08:22 · Score: 0
  
  There should be a +1 Ballsy, for posting as yourself when you really should be posting AC.
  
  Clearly, this post wouldn't receive said mod...
3. Re:Well, at least by RyuuzakiTetsuya · 2010-09-14 08:53 · Score: 1
  
  /. math
  -1 Troll + -1 Flamebait + -1 Offtopic = +5 Funny
  I hope for your sake that you don't do your own taxes...
  
  --
  Non impediti ratione cogitationus.
4. Re:Well, at least by WrongSizeGlass · 2010-09-14 09:22 · Score: 1
  
  /. math
  -1 Troll + -1 Flamebait + -1 Offtopic = +5 Funny
  I hope for your sake that you don't do your own taxes...
  Cut him a break. He's not Kreskin
5. Re:Well, at least by RyuuzakiTetsuya · 2010-09-14 09:30 · Score: 1
  
  ... Must..
  resist...
  netcraft...
  comment... Auuuuuuuugh.
  
  --
  Non impediti ratione cogitationus.
6. Re:Well, at least by Anonymous Coward · 2010-09-14 09:48 · Score: 0
  
  –I hope for your sake that you don't do your own taxes...
  Old Joke
  Question: What does 2 + 2 equal
  Engineer: precisely 2 plus precisely 2 equals exactly 4
  Philosopher
  2 plus 2 of what?... what do we mean by '2'... is 'plus' always necessary? Why must it ' equal' and not simply be?
  Accountant
  What do you want it to equal?
7. Re:Well, at least by Anonymous Coward · 2010-09-14 21:12 · Score: 0
  
  You wanted to say 1bourbon, 1scoch 1beer....
4 != four by VMaN · 2010-09-14 08:07 · Score: 1, Funny

Who else was all ready to flame about 4 being used to mean "four"?
Then I read the rest of the summary for once...
1. Re:4 != four by Spad · 2010-09-14 08:09 · Score: 1
  
  Or even "for"
2. Re:4 != four by VMaN · 2010-09-14 08:10 · Score: 1
  
  Well that was the opposite of what I meant...
3. Re:4 != four by jonescb · 2010-09-14 08:10 · Score: 2, Funny
  
  Do you mean "for"? Because 4 == four.
4. Re:4 != four by Darkness404 · 2010-09-14 08:13 · Score: 1
  
  Ok, so if 4 isn't four, what is it? Five? Six?
  
  --
  Taxation is legalized theft, no more, no less.
5. Re:4 != four by Anonymous Coward · 2010-09-14 08:13 · Score: 0
  
  Hilarious, man!
6. Re:4 != four by CannonballHead · 2010-09-14 08:14 · Score: 2, Funny
  
  When not four, 4 is 2 B.
  ... or maybe ! 2 B.
7. Re:4 != four by rakuen · 2010-09-14 08:17 · Score: 1
  
  4 = 5 for exceptionally large values of 4.
8. Re:4 != four by Anonymous Coward · 2010-09-14 08:22 · Score: 0
  
  Clearly, the only honorable way out is the time honored tradition of Grammar Nazi Seppuku.
  
  Thankfully, Grammar Nazis don't care that Nazis are German and Seppuku is a Japanese ritual. That's a History Nazi thing.
  
  Not a Historical Nazi thing, however. They're totally different. They kill themselves via gunshot AND cyanide, in bunkers.
9. Re:4 != four by c6gunner · 2010-09-14 09:28 · Score: 1
  
  +5 Facepalm
Re:4 != for by MozeeToby · 2010-09-14 08:11 · Score: 1, Informative

Who else was all ready to flame about 4 being used to mean "for"?
Fixed. And I'm legitimately trying to be helpful not just being a pain in the ass, it took me like 30 seconds to figure out what you were trying to say here.
Re:4 != for by Anonymous Coward · 2010-09-14 08:14 · Score: 1, Informative

I think he complains about the rule that numbers smaller than 10 should be written in words. So text should be "Four Windows.." not "4 Windows.." at the title.
That's why I also run Windows.... by rts008 · 2010-09-14 08:15 · Score: 0, Troll

I like user-friendly[1] screen doors to enter my submarine! ;-)
Ghahh! Where's all of that water coming from?
All hands, 'Abandon ship!'
[1] and hacker/cracker friendly, spammer friendly, gov't. friendly, and criminal friendly

--
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
Gee What a Coincidence by Kernel+Rootkits · 2010-09-14 08:26 · Score: 2, Funny

It's funny how this happened right after Microsoft released the source code of Windows 7 to the Russian government...Just sayin...
1. Re:Gee What a Coincidence by VGPowerlord · 2010-09-14 08:59 · Score: 1
  
  In Russia, bugs exploit you!
  
  --
  GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
2. Re:Gee What a Coincidence by gad_zuki! · 2010-09-14 15:41 · Score: 2, Interesting
  
  Lots of organizations and most governments have the source to windows, its not like its this closely guarded secret. Considering Stuxnet was found infecting Iranian systems more than anything else, its probably made in the good ol' USA. This thing has NSA written all over it. Its really well-done, I guess my tax dollars are at work.
Re:4 != for by iammani · 2010-09-14 08:35 · Score: 1

Undoing Informative mod. Actually, it seems he pissed off for using 4 instead of Four in the title.
Re:4 != for by StikyPad · 2010-09-14 08:37 · Score: 1

No it doesn't. It seems like he's an idiot whose first interpretation of the numeral 4 was "for".

--
https://www.eff.org/https-everywhere
Re:4 != for by clone53421 · 2010-09-14 08:57 · Score: 2, Informative

it took me like 30 seconds to figure out what you were trying to say here
Same here – but I actually figured it out as soon as I looked up and read TFHeadline.

--
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
All these vulnerabilities.. by simp · 2010-09-14 09:25 · Score: 3, Insightful

All these neat day0 exploits wasted to get into an industrial control system. The numbers of those systems are only in the thousands, they could have taken control over millions of normal Windows PCs. Who-ever designed this must have been really determined to get data out of those Siemens controllers. Wouldn't it be easier just to bribe a local operator into getting the info?
Or did they want to create their own bot-net of Scada systems? Then you can brag that you can shutdown a country at the touch of a button.
1. Re:All these vulnerabilities.. by NatasRevol · 2010-09-14 10:33 · Score: 2, Insightful
  
  Seriously, why go to that level of trouble.
  Especially when the passwords to the database are hardcoded:
  http://www.wired.com/threatlevel/2010/07/siemens-scada/
  
  --
  There are two types of people in the world: Those who crave closure
2. Re:All these vulnerabilities.. by omglolbah · 2010-09-14 10:46 · Score: 2, Interesting
  
  I work with a constrol system made by one of the largest competetors to Siemens... The root level passwords are almost always left as the default...
  Same with the software access passwords :(
  All of the systems I work with are physically disconnected from the outside world though, so it is less of an issue.
3. Re:All these vulnerabilities.. by antifoidulus · 2010-09-14 11:19 · Score: 3, Insightful
  
  This thing is able to inject code as well. Imagine how much a company could gain if it was able to inject difficult to detect faults in its competitors products. Imagine how many armies around the world would be salivating at the opportunity to, for a few thousand dollars, basically have an opportunity to render their opponents half-billion dollar jet useless. These attacks only work, however, if you are able to fly under the radar. If the authors would have attacked normal PCs the odds of the bug being discovered and fixed would be much greater than if they only target a very small subset of Windows computers.
  
  --
  Monstar L
4. Re:All these vulnerabilities.. by joe_frisch · 2010-09-26 06:04 · Score: 1
  
  Depending on how the industrial control systems are use, you might be able to do a large amount of damage, and possibly kill people. Many facilities rely on industrial control systems to prevent damage to hardware (control sequencing of components, etc). Some facilities now rely on industrial controllers to provide human safety interlocks although these controllers need to be certified for life-safety applications, and I don't know if they could be vulnerable to similar attacks. Medical equipment may use similar systems.
  It is an interesting question - if intentional sabotage of these systems results in significant damage or deaths, and the attack can be tracked down to a national government, is this considered an act of war? If a nuclear facility or strategic asset is targeted, is a strategic retaliation warranted?
Interesting note spied in the article by Anonymous Coward · 2010-09-14 09:26 · Score: 2, Interesting

"...noting that the worm also used signed digital certificates stolen from RealTek and JMicron..."
I wonder how they obtained driver level certificates. I can imagine how, but I'd be curious to know the actual method.
I also chuckled at the fact that part of the exploit involved something that was patched a month ago. More unpatched PCs get attacked. I'm shocked. SHOCKED!
old news? by Anonymous Coward · 2010-09-14 10:38 · Score: 0

Hey Taco man you do realize this is recycled old news from about two month ago, don't you?
1. Re:old news? by turbidostato · 2010-09-14 16:28 · Score: 2, Funny
  
  "Hey Taco man you do realize this is recycled old news from about two month ago, don't you?"
  Do you mean it's not zero-day news?
Re:4 != for by Anonymous Coward · 2010-09-14 11:04 · Score: 0

That doesn't make him an idiot, just overzealous at anticipating other people's idiocy.
Still? by Anonymous Coward · 2010-09-14 18:26 · Score: 0

People are buying these systems why? Ok. There are several possible reasons. 1. They don't know about anything else, haven't tried anything else, and believe everything muthercorp tells them. 2. They are stuck with some custom software written for the muthercorp system, and can't do any better. 3. Habit, no different than crack or cleaning solvent. I don't personally use muthercorp systems because they seem to be so vulnerable. Muthercorp users will yelp out 'if yers was this pepular, yew would have these problems too! (spoken with a shaken fist, and followed by a long taste of corn or grain alcohol, and then a small spit to the ground). Its all hyperbole. Its all made-up bullshit, which can't be proven or disproven until such time as blah blah. One thing I do know is, that the system I use --for whatever reason you can dream up, and I would prefer if you could include Soviet Russia and space aliens in your stories among the reasons, my system, right now here today, doesn't have these problems. It didn't have them last week, last month or last year. I could make comment on software quality, studies by the Department of Homeland Security, etc, but to the great unwashed it all sounds like blah blah. They don't want to hear it. So here's a thank you to the ignorant masses for buying up this trash from muthercorp. If it really is your large numbers making the target big (and not poor design decisions by muthercorp) then you keep on being a ginormous target. Sacrifice yourselves so that I can compute in safety and without risk. Good Job Sparky! (I'm giving you all a great big Captain Wunderbar salute right now). I feel like I'm watching lemmings jump over the edge in order that their rotting corpses make good fertilizer for my garden.
1. Re:Still? by night_flyer · 2010-09-14 23:56 · Score: 1
  
  And the alternative is? Linux? STILL not ready for grandma's desktops. Mac? overpriced and neither have the software support of Win based machines.
  
  --
  
  Thanks to file sharing, I purchase more CDs
  Thanks to the RIAA, I buy them used...
2. Re:Still? by Anonymous Coward · 2010-09-27 03:39 · Score: 0
  
  The alternative is a Unix/Linux version designed with security in mind from the start knowing what we currently know. The short term solution would be to replace all industrial controllers which under the right circumstances could go boom in some way with well-protected (note not exactly off the shelf) Unix/Linux. Then replace those with the redesigned secure version as it becomes available. And to form an international team to research further exploits. Companies with a short-term motive profit can do it by themselves (part of the failure of business/capitalism).
  As for Grandma and the rest - they can use a commercial version of easy to use Linux when the interface becomes useful for non-professionals. At any rate Grandma, etc. aren't going to be directly using industrial control systems but trusting industrial control systems to Windows (what moron came up with this???) can potentially harm Grandma.