July 30, 2010

Microsoft said Thursday that it will issue an out-of-band security update on Monday to fix a critical, remotely-exploitable security hole present in all versions of Windows, which the software giant says is fueling an increasing number of online attacks.

On July 15, KrebsOnSecurity.com first warned that a flaw in the way Windows processes shortcut files (those ending in “.lnk”) was being exploited by highly targeted malicious software called “Stuxnet”. Researchers learned that Stuxnet was aimed at infiltrating Windows computers running Siemens WinCC SCADA software, or machines responsible for controlling the operations of large, distributed systems, such as manufacturing and power plants.

Since then, experts have found several new variants of Stuxnet, while a growing number of more mainstream attacks have been spotted exploiting the underlying Windows flaw.

“We’re able to confirm that, in the past few days, we’ve seen an increase in attempts to exploit the vulnerability,” wrote Christopher Budd, senior security response communications manager at Microsoft, on one of the company’s TechNet blogs. “We firmly believe that releasing the update out of band is the best thing to do to help protect our customers.”

I’m looking forward to applying this fix: About a week ago, Microsoft provided a stopgap “FixIt” tool that blunts the threat from this vulnerability, but it also changes the appearance of certain icons on the Windows desktop, often making it difficult for users to tell one program from the next. For example, here’s a screen shot of my Windows 7 desktop toolbar after I applied the fix:

I’ve found it fascinating to watch the speculation and hype swirl around this Stuxnet worm: Early on, the news media and pundits fixated on the notion that this was proof that other countries were planning cyber attacks on our power grid and other highly complex networks that rely on the types of SCADA systems targeted by Stuxnet. Then, about a week ago, experts began charting where in the world most victims were based. According to Symantec, roughly 60 percent of the systems infected with this family of malware were based in Iran, while computers in Indonesia and India also were hard-hit.

One equally likely scenario that I haven’t heard suggested much yet is that perhaps we are seeing evidence of our country’s own cyber warriors probing the networks of other nations. It is notable that the first definitions that the major anti-virus firms shipped for the Stuxnet malware were issued on or around the same day as my story, and that this malware was first discovered one month earlier by VirusBlokada, a relatively tiny anti-virus firm in Belarus that said it found the worm on computers belonging to one of its Iranian customers. What’s more, it’s unlikely that a malware threat initially directed at Iran would show up on the radar of U.S.-based anti-virus makers, all of whom are prohibited by U.S. trade sanctions from selling products and services to Iran.


25 thoughts on “Microsoft to Issue Emergency Patch for Critical Windows Bug

  1. kurt wismer

    i don’t believe you can really infer very much from the distribution of the victims. the reason being because it’s a worm.

    in spite of the apparent targeting of the payload, the distribution channel itself cannot be controlled or aimed with any degree of precision. self-replicating malware has never been a good fit for targeted attacks for this reason.

    whoever set this off in the first place may have had high aspirations, and the 0-day certainly suggests advanced capabilities, but sticking it in a container that basically broadcasts itself (albeit slowly due to the physical media constraint) bares the hallmarks of someone who lacks experience.

  2. David Fraser

    Kurt- Curious, what then do you think explains the distribution here? Is it just coincidental, or a reflection of where the worm origniated? The distribution must imply…something, but what?

    1. kurt wismer

      when it comes to replicative malware, success is often as much (or more) about good luck as it is about good execution. there have been plenty of examples of technically sophisticated viruses/worms that never got off the ground and completely buggy brain-dead ones that became widely spread.

      the geographic distribution of the victims *could* mean that those regions were more aggressively targeted, or it could mean that the worm was seeded into a population that just happened to be better represented in those regions (international attendees at trade events aren’t necessarily uniformly distributed), or it could mean the worm simply found more early reproductive opportunities there entirely by chance.

      sometimes a cloud is just a cloud.

  3. JCitizen

    If I were in the US intelligence service, I would be bucking to infect everything in Iran too. I read so little about any indirect action by our services an this kind of cold warfare, and it seems it would be smart to look at every avenue to gain an upper hand. Especially since this kind of “espionage” has always made us a victim on our side of the fence.

    Fight smarter, not harder!

  4. CloudLiam

    “What’s more, it’s unlikely that a malware threat initially directed at Iran would show up on the radar of U.S.-based anti-virus makers, all of whom are prohibited by U.S. trade sanctions from selling products and services to Iran.”

    That’s a very perceptive observation. We’ll probably never know the whole story but your theory makes more sense than most to me.

  5. reader

    What does that mean? Symantec is breaking the trade sanctions? Or do they give their AV solutions to users in Iran for free?

  6. jerome

    This is looking more and more like a geopolitical issue. It would not surprise me if this was the work of a big nation. Everybody is spying… but you dont hear that on the news… it’s easier to blame it on the chinese or whoever else we fear.

  7. Stardance

    Sunbelt Software’s VIPRE 4.0 anti-malware utility has reported “traces” of an “exploit” of the Windows .LNK and .PIF vulnerability in 4 Windows Firewall shortcut files on my computer. It is not clear whether malware used the exploit to infect the computer and we are still looking for any that might be present.

    It seems that I should mention this because the computer is near the Gulf of Mexico, and I have not accessed any web sites or networks which are related either to Iran or to any industrial SCADA system. I do not know how the “exploit” was introduced, but most likely by a JavaScript routine executed while a page from a trusted web site was rendered. That is also the most likely way that it would escape interception by VIPRE.

    Of course, it is possible that the discovery was a “false positive” although so far the Sunbelt tech support rep does not seem to think that it was.

    1. kurt wismer

      don’t get too focused on the malware that originally contained this exploit. it’s been adapted for use in other, more traditional malware already

        1. kurt wismer

          as you wish. i just think that when one is faced with the prospect of diagnosis and recovery as a result of reported detection of the exploit only, it doesn’t make sense to obsess over the high-profile origin of the exploit when the exploit is now being used in things like sality and zeus.

  8. xAdmin

    While speculation and conspiracy theories abound, this is most likely just malware authors (bad guys) doing their thing (for monetary reasons) and has nothing to do with cyber attacks by any country or government. It’s just the cat and mouse game between malware authors and software vendors.

    A serious attack on our infrastructure isn’t going to dink and dunk around with trying to propagate malware to various infrastructure (ex. SCADA) computer systems. They would most likely break out the big guns and try an EMP attack!

    1. kurt wismer

      i certainly wouldn’t rule out the possibility that it’s not the actions of a nation state, but i’m curious – if it isn’t what everyone seems to think it is, if it is just cybercriminals, how exactly are they going to monetize remote control of SCADA systems? and how did they do the SCADA-related R&D in the first place? seems like a significant investment in both time and money without a clear payoff nor reason for forgoing the lower hanging fruit.

      1. timeless

        There’s an American TV program called “Damages”, in Season 2 (the current one airing where I am), http://en.wikipedia.org/wiki/Damages_%28TV_series%29#Season_two there’s plotline which involves an Energy trader who is able to consistently bet and win on the market because he knows when power failures will happen.

        Now, ideally in the USA people would be caught for manipulating the market, although it might take a while (Enron?). In third world countries, it might be easier to arrange not to be caught (although the risks involved if your caught probably include your neck instead of a nice cushy prison cell).

  9. xAdmin

    It’s funny that everyone has focused their comments on the latter half of Brian’s post versus the fact Microsoft is issuing an emergency patch. I admit though, it’s definately more fun to speculate on the who’s and why’s behind the exploit than the technicalities of a patch.

    As a geek, I’m still looking forward to learning more information on the patch itself and any known issues related to it (if any). From a technical standpoint, it will be interesting to see the files involved and what the patch does to resolve the vulnerability. For starters, one would expect a reboot (in order to replace affected files and/or implement registry changes that are in use when the OS is running).

    I’ll usually review the technical bulletin and check SANS ISC as well for info and any possible feedback before installing it.

    One final thought, wouldn’t it be ironic if the patch were installed on affected SCADA systems via a USB thumb drive? 😛

  10. neo

    another bug open for years, just like the many remote exploits being patched through the years. anyone who trusts windows should not be trusted with data of any value, nor should they as a human be trusted with any of your conversation, they have demonstrated they lack the knowledge of securing their data, you cannot trust them to secure yours. a formal poll on the % of gossipers in the windows camp VS the *nix world with honest answers would be even more telling.

    vote me down, windows users, you’re too predictable.

  11. bart

    “another bug open for years, just like the many remote exploits being patched through the years. anyone who trusts windows should not be trusted with data of any value, nor should they as a human be trusted with any of your conversation, they have demonstrated they lack the knowledge of securing their data, you cannot trust them to secure yours. a formal poll on the % of gossipers in the windows camp VS the *nix world with honest answers would be even more telling.

    vote me down, windows users, you’re too predictable.”

    The truth, I don’t know what is worse, Windows, Windows developers, or Windows users.

  12. Mark Ratledge

    What about SP2 boxes? Microsoft ended security support for SP2 right before this vulnerability was acknowledged. How many SP2 boxes are still out there? And, will SP2 boxes be targeted now?

    1. BrianKrebs Post author

      I think you know the answer to your own question, Mark. No, xp/SP2 boxes can no longer download security updates, so they will need to have migrated to Service Pack 3. It’s not like this was announced just yesterday.

      I would imagine that XP2 boxes WILL be targeted by this, as well as by many other new exploits to come. It just stands to reason.

      1. Mark Ratledge

        Might even be exploit kits released just for SP2. But I think there’s a chance MS will change its stance and issue a patch just for SP2 on a patch Tuesday or sooner.

        1. xAdmin

          Hi Mark,

          I wouldn’t count on it. XP SP 2 support has expired. Like I said, XP SP3 has been out for over two years. There has been plenty of time to upgrade to it.

          There may have been some confusion on XP SP 2 support:

          “In Microsoft’s August 2010 OOB Security Bulletin Release webcast today, they said that the support for XP SP2 was a typo and it is going to be corrected on the website.”

          From comment at ISC SANS:
          http://isc.sans.edu/diary.html?storyid=9313

    2. xAdmin

      XP Service Pack 3 was released over two years ago! I would think that’s plenty of time to evaluate whether or not it can be installed on a system.

      Windows XP itself is nine years old! That’s a lifetime in software. It’s surprising that Microsoft even supports it anymore! (Support for Windows 2000 just ended, an even older OS).

      Suffice it to say that Microsoft supports some of their software much longer than most would expect. A great part of it is many major businesses still use these older products (we still use Windows XP where I work, a large enterprise). The fact Windows XP (with SP3) will be supported until 2014 speaks to the success and continued use of that OS (some would say it was and is Microsoft’s best OS ever).

      Myself, I have NO plans on migrating off Windows XP as it does what I need to the T and I know it like the back of my hand! That and I absolutely hate the new taskbar and other interface re-designs of Windows 7! (I don’t like the road Microsoft is going down with these re-designs that look more and more like OS X, if I wanted that type of OS, I’d buy a Mac!)

      See the “Support Lifecycle” section for more info at:
      http://en.wikipedia.org/wiki/Windows_XP

  13. Bob Primak

    There are workarounds until the Microsoft patch is released, which will not break all your shortcuts but which will offer varying degrees of protection. Infoworld.com’s News story covering two workarounds, one from G-Data, and the other from Sophos, is here:

    http://www.infoworld.com/d/security-central/g-data-releases-tool-block-windows-shortcut-attacks-841

    On my Windows XP Pro laptop, the Sophos solution conflicted with the Comodo Firewall’s Security Policies, causing a Blue Screen of Death, so I had to settle for the G-Data solution there. On my Wiondows 7 Home Premium 64-bit laptop, there are no Security Policies or Group Policies, and there the Sophos solution is working just fine.

    So be aware that there are temporary fixes which are less severe than the Microsoft Fixit, and that depending on your OS version and installed software, you may have to try a couple of different mitigations before you find on which works and doesn’t break too many other things.

    And come Monday, remove all your interim fixes and apply the real patch from Microsoft — and expect the patch to break many things. This is the price we will pay for awhile, since the affected parts of Windows are so fundamental and have such wide-reaching uses inside of Windows.

Comments are closed.