Slashdot Mirror

← Back to Stories (view on slashdot.org)

Incomplete Microsoft Patch Left Machines Exposed To Stuxnet LNK Vulnerability

Posted by Soulskill on from the fixing-the-fix-that-fixed-not-much-at-all dept.

msm1267 writes: A five-year-old Microsoft patch for the .LNK vulnerability exploited by Stuxnet failed to properly protect Windows machines, leaving them exposed to exploits since 2010. Microsoft today is expected to release a security bulletin, MS15-020, patching the vulnerability (CVE-2015-0096). It is unknown whether there have been public exploits of patched machines. The original LNK patch was released Aug. 2, 2010. "That patch didn't completely address the .LNK issue in the Windows shell, and there were weaknesses left behind that have been resolved in this patch," said Brian Gorenc, manager of vulnerability research with HP's Zero Day Initiative. Gorenc said the vulnerability works on Windows machines going back to Windows XP through Windows 8.1, and the proof of concept exploit developed by Heerklotz and tweaked by ZDI evades the validation checks put in place by the original Microsoft security bulletin, CVE-2010-2568.

33 comments

  1. Oh boy by hyperar · · Score: 1

    This is going to get ugly

    1. Re:Oh boy by Anonymous Coward · · Score: 0

      Yep. Simply put...not excusable. Moreover, I don't want to hear BULLSHIT about any of the things like Heartbleed and the like being a problem. A vuln is JUST THAT. It can lurk for decades in either world of coding and release. But...how fast did the others get fixed *PROPERLY* compared to this bullshit?

    2. Re:Oh boy by bhcompy · · Score: 1

      Yep, my steam turbines are going to fail earlier than I thought. Hate it when that happens

    3. Re:Oh boy by Impy+the+Impiuos+Imp · · Score: 3, Funny

      Microsoft issued a statement, "Oops."

      In a completely unrelated story, federal government threats of anti-trust prosecutions of Microsoft are at an all-time low.

      --
      (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  2. Re:Incomplete? by FlyHelicopters · · Score: 2

    The might have... if doing so allowed Iran to be set back by a few years on nuclear weapons development, I could see that happening...

    The question becomes, do the ends justify the means?

    Most people give a straight up "yes/no" answer to that question, however the reality is that it is a gray line. It isn't hard to come up with a situation where the answer is yes, even to the most die hard "no" person.

  3. Re:Incomplete? by Anonymous Coward · · Score: 0

    Ms has been suspected of intentionally leaving blatant backdoors in their OS for years, their patches are also suspected of fixing one hole but replacing it with another.

    It tough to say, simply becuase one would figure a whistle blower would emerge and say something, but then again the people that work at MS on patches and their software are probably under a confidentiality agreement/contract that they cannot discuss any of the work they were involved in while under employment or while they were employed with the company. And they could be seeing criminal charges filed against them, I find it a little odd more people that have worked with other software companies and have openly talked about things they were involved in that are suspect.

    I like to keep in the gray area on just about everything, so its a coin toss.

  4. Torrents? by viperidaenz · · Score: 3, Interesting

    Is this why there are torrents out there with a several hundred megabyte file with the name of a TV show ending in .mp4.lnk ?

    1. Re:Torrents? by Anonymous Coward · · Score: 1

      Download it, let us know how it turns out for you!

  5. Re:Incomplete? by TheCastro1689 · · Score: 1

    Companies have the power and backing to crush you, while other software companies don't. Even after the whole monopoly busting thing I'm sure MS and it's richer employees have bought many politicians and other government workers.

  6. SoylentNews Rocks by Frosty+Piss · · Score: 1

    I don't even read Slashdot "stories" about Microsoft anymore, because most are just obvious "troll" or click-bait aimed at the anti-microsofties that prevail at Slashdot.

    Soylentnews.com is a great site.

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:SoylentNews Rocks by Anonymous Coward · · Score: 0

      Soylentnews.com is a great site.

      Is that you Gewg_?

    2. Re:SoylentNews Rocks by Anonymous Coward · · Score: 1

      Go fuck yourself with the plastic fake penis your mother gave you when you wanted to explore your rectum.

    3. Re:SoylentNews Rocks by muirhead · · Score: 1

      I don't even read Slashdot "stories" about Microsoft anymore, because most are just obvious "troll" or click-bait aimed at the anti-microsofties that prevail at Slashdot.

      Soylentnews.com is a great site.

      http://soylentnews.org/article.pl?sid=15/03/01/1949210 Are you sure?

    4. Re:SoylentNews Rocks by Anonymous Coward · · Score: 0

      You can do better.

    5. Re: SoylentNews Rocks by LocutusOfBorg1 · · Score: 1

      They don't even have a mobile website. Do they really think this year will be the year of desktops?

    6. Re:SoylentNews Rocks by Jack+Griffin · · Score: 1

      Look I'm pissed off with slashdot as much as the next guy, but soylentnews looks so shit it is unreadable. I feel like I'm reading some 1994 VGA text in horrible 4 bit colours. I'm glad they want to do better, but they're going to have to try a bit harder than that.

  7. Re:Incomplete? by Anonymous Coward · · Score: 1

    I've been a software engineer at MS off and on for 15+ years. I've never seen any agreement that said I could not discuss my work there. Make up your mind: is everything MS ever does insecure, or is it secure enough that they have to leave in back doors intentionally?

  8. Bwahahahaha... by Anonymous Coward · · Score: 0

    Linux. Had to rub it in.

  9. Secure Consumer OS = Oxymoron by BoRegardless · · Score: 1

    Doesn't exist on so many levels it is now passé.

    1. Re:Secure Consumer OS = Oxymoron by Anonymous Coward · · Score: 1

      They don't want you to be secure FROM THEM, even if that opens you up to everyone else. Who the fuck are you, if you don't have an acronym after your name?

  10. Full details are now avaiable by InfoSecGnome · · Score: 5, Informative

    Full details about how the 2010 patch failed are now available. Looks like they tried to do a whitelist check for approved CPL files, but it didn't work. There's a video too, although a video showing how to use regedit is only so useful. http://h30499.www3.hp.com/t5/H...

  11. A back door installed by Microsoft? by Anonymous Coward · · Score: 0

    The way I see it, it's quite feasible that the vulnerability was deliberately left in to provide a back door for the US government agencies to exploit. Only now that stuxnet and similar are becoming widely publicised are Microsoft closing that door.

  12. We at the NSA would like to extend our thanks... by Anonymous Coward · · Score: 0

    Here at the NSA, we would like to extend a heartfelt thank you to Microsoft for the incomplete patch. Not that we had anything at all to do with STUXNET. No, nothing at all. Nor anyone else in the U.S. government from any other agencies, nor the defense department.

    Again, THANK YOU, Microsoft.

  13. yep yep by Kekke · · Score: 4, Funny

    Howdy. Its NSA here, You can patch the hole now, Stux is no use to us anymore.
    Micro$oft: Ok, wilco. See You at lunch.

  14. Now I know by Virtucon · · Score: 1

    why all my centrifuges just blew up.

    Curse You Microsoft!

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
    1. Re:Now I know by whoever57 · · Score: 1

      With your username, that's an excellent joke!

      --
      The real "Libtards" are the Libertarians!
  15. Re:Incomplete? by Anonymous Coward · · Score: 0

    Then why post as A.C.?

  16. Re:Incomplete? by drinkypoo · · Score: 1

    Even after the whole monopoly busting thing

    What monopoly-busting thing? The DoJ found Microsoft guilty of having abused its monopoly position, then Ashcroft (under Bush) excused them for their wrongdoing and nothing happened.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"