Kaspersky Lab announced that it has co-operated with Microsoft in successfully closing a serious vulnerability in Microsoft Windows.<\/p>\n
The vulnerability was classified as being of the ‘zero-day’ type when it was detected, and has been used by the notorious Stuxnet worm. Worm.Win32.Stuxnet is remarkable in that it is basically an industrial espionage tool – it is designed to gain access to the Siemens WinCC operating system which is responsible for data collection and monitoring production.<\/p>\n
Ever since it first emerged in July 2010, IT security specialists have watched Worm.Win32.Stuxnet closely. Kaspersky Lab says that it has gone to great lengths to research Stuxnet’s capabilities and has discovered that, in addition to the vulnerability when processing LNK and PIF files that was detected originally, it also uses four other vulnerabilities in Windows.<\/p>\n
One such example is MS08-067, which was also used by the infamous Kido (Conficker) worm in early 2009. The other three vulnerabilities were previously unknown and exist in the current versions of Windows.<\/p>\n
Along with MS08-067, Stuxnet also uses another vulnerability to propagate.<\/p>\n
This vulnerability exists in the Windows Print Spooler service and can be used to send malicious code to a remote computer where it is then executed.<\/p>\n
By virtue of the features of this vulnerability, the infection can spread to computers using a printer or through shared access to one. Having infected a computer connected to a network, Stuxnet then attempts to spread to other computers.<\/p>\n
Kaspersky says that they immediately reported the vulnerability to Microsoft when they detected it.<\/p>\n
Microsoft then analysed it themselves and agreed with Kaspersky Lab’s findings. The vulnerability was classified as a Print Spooler Service Impersonation Vulnerability and was rated as ‘critical’. Microsoft immediately started working to close the loophole and subsequently released the MS10-061 patch on 14 September 2010.<\/p>\n
Kaspersky says that they detected yet another zero-day vulnerability in the Stuxnet code. It was classified as an ‘Elevation of Privilege’ (EoP) vulnerability which could be exploited by the worm to gain full control over the infected computer.<\/p>\n
A similar EoP-class vulnerability was detected by Microsoft’s experts, Kaspersky says. Both will be corrected in future security updates for Windows operating systems.<\/p>\n
Kaspersky honoured Alexander Gostev, Chief Security Expert at Kaspersky Lab, who they say played an active role in identifying the new threat and co-operated closely with Microsoft to resolve the issue.<\/p>\n
“Stuxnet was the first malware program to simultaneously exploit as many as four vulnerabilities,” said Alexander Gostev. “This makes Stuxnet truly unique: it is the first threat we have encountered that contains this many surprises in a single package. Before we detected this new vulnerability, it would have been worth a fortune to hackers. Given Stuxnet also uses Realtek and Jmicron digital certificates – and remember too that it was ultimately designed to steal the data stored in Simatic WinCC SCADA – all of this makes this threat truly unprecedented. It has to be said, the malware writers have demonstrated quite remarkable programming skills.”<\/p>\n