Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stuxnet Attacks Used 4 Windows Zero-Day Exploits

Posted by CmdrTaco on from the i'll-exploit-you dept.

abadnog writes "The attackers behind the recent Stuxnet worm attack used four different zero-day security vulnerabilities to burrow into — and spread around — Microsoft's Windows operating system, according to a startling disclosure from Microsoft. Two of the four vulnerabilities are still unpatched. Microsoft said the attackers initially targeted the old MS08-067 vulnerability (used in the Conficker attack), a new LNK (Windows Shortcut) flaw to launch exploit code on vulnerable Windows systems and a zero-day bug in the Print Spooler Service that makes it possible for malicious code to be passed to, and then executed on, a remote machine. The malware also exploited two different elevation of privilege holes to gain complete control over the affected system."

6 of 67 comments (clear)

  1. Zero Day? by Anonymous Coward · · Score: 1, Interesting

    How can a vulnerability that Microsoft had patched a very long time ago (MS08-067) be called a zero-day? They actually had this patched through Windows Update before Conficker became the big epidemic it did. Systems with automatic update turned off were the cause for most of the Conficker problems.

    1. Re:Zero Day? by dch24 · · Score: 2, Interesting

      The exploits used unpatched bugs.

      That said, if this is the work of well-funded terrorists, they are probably well funded enough to have access to the Windows source code. Yes, yes, Microsoft doesn't disclose the entire code base for their OS. The parts that were exploited (like the print spooler) are probably considered "not high enough risk" and so are disclosed to governments far and near.

      In fact, the only guys playing catch-up seem to be the anti-virus writers.

    2. Re:Zero Day? by dch24 · · Score: 2, Interesting

      Actually I was responding to his specific question: "How can a vulnerability that Microsoft had patched a very long time ago (MS08-067) be called a zero-day?"

      In response to your question, no, I don't define "zero-day" to mean "unpatched bug". I define it to mean "exploit found using unpatched bug in the wild on the day it is first reported to a security researcher (preferred), or else vendor (not ideal, as they have less incentive to disclose all important details)"

  2. Interesting note spied in the article by Anonymous Coward · · Score: 2, Interesting

    "...noting that the worm also used signed digital certificates stolen from RealTek and JMicron..."
    I wonder how they obtained driver level certificates. I can imagine how, but I'd be curious to know the actual method.

    I also chuckled at the fact that part of the exploit involved something that was patched a month ago. More unpatched PCs get attacked. I'm shocked. SHOCKED!

  3. Re:All these vulnerabilities.. by omglolbah · · Score: 2, Interesting

    I work with a constrol system made by one of the largest competetors to Siemens... The root level passwords are almost always left as the default...
    Same with the software access passwords :(

    All of the systems I work with are physically disconnected from the outside world though, so it is less of an issue.

  4. Re:Gee What a Coincidence by gad_zuki! · · Score: 2, Interesting

    Lots of organizations and most governments have the source to windows, its not like its this closely guarded secret. Considering Stuxnet was found infecting Iranian systems more than anything else, its probably made in the good ol' USA. This thing has NSA written all over it. Its really well-done, I guess my tax dollars are at work.