Microsoft has finally patched a security vulnerability in Windows, which was one of four zero-day flaws exploited by the Stuxnet worm, in its latest Patch Tuesday series of updates. The series of patches also includes a total of five to fix flaws Microsoft rates as “critical”. However, a security patch intended to replace one withdrawn in October has similarly failed to install, according to some user reports.
The patch, KB3033929, has caused many PCs to struggle to restart until the patch is reversed. KB3033929 is intended to replace KB2949927 and is supposed to add SHA-2 signing and verification capabilities to Windows 7 and Windows Server 2008, R2. KB2949927 was introduced, and quickly withdrawn, in October when it caused a series of Windows failures.
However, along with patches to fix the recently uncovered Freak encryption flaw, Microsoft has also got round to fixing one of the flaws exploited by Stuxnet back in 2010, which hadn’t been covered in its “emergency patch” back then.
“A five-year-old Microsoft patch for the .LNK vulnerability exploited by Stuxnet failed to properly protect Windows machines, leaving them exposed to exploits since 2010,” according to Threatpost editor Michael Mimoso.
He continued: “Microsoft today is expected to release a security bulletin, MS15-020, patching the vulnerability (CVE-2015-0096). It is unknown whether there have been public exploits of patched machines. The original LNK patch was released 2 August 2010.
Stuxnet was the worm used to attack Iran’s nuclear programme. It is believed to have been the work of either the US National Security Agency (NSA) or Israeli intelligence. It exploited zero-day vulnerabilities in Windows, as well as security flaws in Siemens’ programmable logic controllers used in centrifuges at Iran’s Natanz uranium enrichment facility.
The outstanding vulnerability that Microsoft has finally patched affected machines from the Windows XP era all the way through to Windows 8.1.
LNK files define shortcuts to files or directories. However, explained Mimoso: “Windows allows them to use custom icons from control panel files (.CPL). In Windows… those icons are loaded from modules, either executables or DLLs; CPLs are DLLs. An attacker is able to then define which executable module would be loaded, and use the .LNK file to execute arbitrary code inside of the Windows shell.”