Software

Patch Tuesday March 2015 – Stuxnet LNK 0day Fixed

Wait, what? Wasn’t the Stuxnet LNK vulnerability CVE-2010-2568, reported by Sergey Ulasen, patched years ago? Didn’t Kim Zetter have enough time to write 448 pages of thoroughly footnoted research on this digital weaponry?

Yes, it was, but MS10-046 didn’t completely fix all of the vulnerable code path. And, we just might start to call it the Fanny LNK 0day, after Equation’s poorly QA’d USB worm spread across Pakistan exploiting the same LNK vulnerability years earlier than Stuxnet. Now, to be precise, this fix patches the newly generated label CVE-2015-0096, but the flawed functionality still is maintained with LNK handling code used to support custom icons from .cpl files. And, we have not observed a different implementation of this newly report LNK exploit in-the-wild. Yet.

Fanny

So, machines have remained vulnerable to an actively exploited codebase providing custom icon-loading support since at least 2008. German researcher Michael Heerklotz reported the remaining flaws in January, and an excellent technical writeup describing his findings is posted on the ZDI blog here: http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459. Essentially, an attacker has to create a malicious LNK file with a link path of exactly 257 characters containing embedded unescaped spaces, and two “target” files – one with embedded unescaped spaces and one without. This is not difficult on a usb stick, and it bypasses much of the effective defenses Microsoft has developed for years. “Microsoft has gone to a great deal of effort to make exploitation of memory corruption bugs more difficult. This is a classic example of the Defender’s Dilemma — the defender must be strong everywhere, while the attacker needs to find only one mistake.” In this case, it’s more that the attacker had to chain together a complex series of overlooked steps.

Microsoft’s release of thirteen other bulletins includes a large rollup of fixes for RCE across all versions of Internet Explorer, IE6 – IE11. This MS15-018 bulletin is rated critical, and it requires a reboot.

Patch Tuesday March 2015 – Stuxnet LNK 0day Fixed

Your email address will not be published. Required fields are marked *

 

Reports

Operation TunnelSnake

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

APT trends report Q1 2021

This report highlights significant events related to advanced persistent threat (APT) activity observed in Q1 2021. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Subscribe to our weekly e-mails

The hottest research right in your inbox