10
Mar 15

Microsoft Fixes Stuxnet Bug, Again

Microsoft today shipped a bundle of security updates to address more than three dozen vulnerabilities in Windows and associated software. Included in the batch is a fix for a flaw first patched in 2010 — the very same vulnerability that led to the discovery of the infamous cyberweapon known as Stuxnet. Turns out, the patch that Microsoft shipped to fix that flaw in 2010 didn’t quite do the trick, leaving Windows users dangerously exposed all this time.

brokenwindowsOn this, the third Patch Tuesday of 2015, Microsoft pushed 14 update bundles to address at least 43 separate vulnerabilities in Internet Explorer, Exchange, Office and a host of other components.

Five of the the patches released today fix flaws that Microsoft has assigned its most serious “critical” label, meaning the vulnerabilities these patches fix can be exploited to compromise vulnerable systems through little or no action on the part of the user — save for perhaps opening a booby-trapped file or visiting a hacked/malicious Web site.

One of the more curious critical fixes is MS15-020, which according to HP’s Zero Day Initiative researchers addresses the same vulnerability that Microsoft patched in August 2010. That vulnerability — first revealed in a post on this blog July 15, 2010 — was later discovered to have been one of four zero-day flaws used in Stuxnet, a weapon of unprecedented sophistication that is now widely considered to have been a joint U.S. and Israeli project aimed at delaying Iran’s nuclear ambitions. The folks at HP TippingPoint have published a blog post on their work in uncovering the failed fix, and how the original 2010 patch missed the mark. For more on Stuxnet, check out Kim Zetter‘s excellent new book, Countdown To Zero Day.

Two other patches address security issues that have received a great deal of media attention of late: The Superfish malware and the FREAK SSL vulnerability. Freak is a flaw that allows an attacker who controls the local network to downgrade your computer’s encrypted communications to a much weaker (and crackable) level of security — potentially allowing attackers to eavesdrop on your browsing and modify or redirect your communications.

As security expert and cryptologist Matthew Green noted, the FREAK vulnerability is thought to stem from efforts by the National Security Agency to weaken encryption technology allowed to be shipped overseas. Ironically, several researchers have shown how the NSA’s own Web site was made vulnerable by this flaw; check out SmackTLS.com for more on that.

Microsoft also blogged that on Feb. 19 it released an update to its Malicious Software Removal Tool which searches for and removes Superfish, an adware program that was recently discovered to have factory-shipped with many consumer PCs made by Lenovo. Superfish also has been shown to undermine the SSL encryption on systems with the invasive program installed, as demonstrated by researcher Robert Graham in this post. Lenovo has said it is no longer shipping Superfish with PCs, and has released a tool to help remove the program.

For the first time in a while, there are no fixes from Adobe on Patch Tuesday, although one of the critical patches Microsoft released today addresses a dangerous bug in the Adobe Font Driver on most versions of Windows. For more on today’s Microsoft updates, check out the roundups published by Qualys and Shavlik. Links to the individual bulletins released today are here.

Tags: , , , , , , , , , , , , ,

62 comments

  1. Brian seems to have missed notification of an update to Java, which Oracle released last Friday (to jre8u40, and apparently the final EOL update for v7).

    • Brian didn’t miss it. Brian’s just not aware of any security updates in it. As I understand it from Oracle’s advisory, the security baseline for Java 7 Update 80 is actually Jave 7 Update 75.

      http://www.oracle.com/technetwork/java/javase/8u40-relnotes-2389089.html

      • I certainly was not intending to impugn anything about or associated with your efforts, Brian — just figured you had bigger fish to go after that were grabbing attention. I presume that any update for Java represents a security-related action which should be taken by anyone who still needs it for something (in my case an older APC UPS) given its past history, and was a little surprised to see it listed on FileHippo with no subsequent mention in your blog.

        • No offense taken, Jim. Here’s a little tip that helps you tell a security update for Java from a non-security update. Odd numbered updates (like 25) are critical patch updates that only include fixes for security vulnerabilities. Even numbered updates generally do not include security updates.

          • I did not know that…. I have always checked the release notes to see if the security baseline has changed.

            Thanks Brian!!

    • The only update to Java that really matters is that Minecraft doesn’t need that wretched ASK.COM pimpware anymore. Now’s the time to run around and uninstall the garbage from friends & family for good.

      • Java’s Advanced options, all the way at the bottom, has a box you can check to keep the crap from appearing during the installation/update process now.

        While this shouldn’t e necessary, it is at least an improvement.

    • Typically a new update is released right about the time the current Java update finishes installing. Good luck keeping up.

  2. Brian, thank you for the Microsoft vetting as I cannot pull up any info or support letters on the 14 updates.

    • I had trouble connecting at first, I thought it was my firewall or a security program blocking it. I think it was the MS server….it took me a second try.

  3. I hope I didn’t wait too long too update. It is so much easier to keep programs up to date on linux lol. That def helps.

  4. Alex Blackwell

    Google also just pushed out a new version of Chrome.

  5. One can’t help but wonder if a certain three letter agency helped MS write the patch.

    Also the link to thus story in your email doesnt work.

    • IBM? AT&T?

      • *cough*.. i GOTTA quit trying to drink my softdrink when reading these…
        @strato.. that was good

    • Since we know that U.S. anti-virus vendors have kept updates that would impact NSA operations back at the request of the NSA and we know that Microsoft was called out in NSA slides as a fantastic partner and did above and beyond for the NSA (at the expense of their customers):

      http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data

      And we know that the NSA’s stuxnet attack (using this vulnerability) took place shortly after the “fix” (that didn’t actually fix it) was released – it would be reasonable to assume that this was all by design in support of the attack.

      In light of the information that came out this week that the CIA (probably in partnership with the NSA) was actively (successful?) trying to insert backdoors into Apple Computer’s firmware/BIOS images and compiler (Xcode) – it begs the question, is it desirable to have the U.S. intelligence apparatus at open warfare against the electronic infrastructure of the United States?

      Its also easy to see where this destroys significant chunks of the U.S. Tech Industry business.

  6. March’s Patch Tuesday is the second of the year? Did MS skip Jan or Feb?

  7. I kinda had to warn you that Google Chrome and Internet Explorer 10/11 have auto-updated their Flash Player to 17.0.0.134 for Windows 8.x, even though there’s no bulletin for an Adobe fix.

    • Debbie, I checked with Adobe personally; they said there was no security update shipped today.

      It’s worth noting that, like Java, Flash sometimes has non-security related updates.

      • Funny that people stopped to even think of Java and/or flash releasing updates to actually update their tools instead of fixing something.

        On a side note, there was a discussion on the full disclosure about why there was an out-of-band release of Java despite it not containing any security fixes. The only thing they found is that it now contains adware for OSX, too.

      • David Peterson

        It looks like there might be one pending. If you look at Microsoft’s article at https://technet.microsoft.com/en-us/library/security/2755801.aspx it says it patches the flaw described in APSB15-05, which they say will be published on the 12th.

  8. Donald J Trump

    I had 43 updates for my Windows 8.1. machine. The 14 security updates , Office non-security updates the one for Flash. Did anyone get this many?

  9. Thanks for the info re: MS Malicious Software Removal Tool and Superfish.

    MSRT showed up in Windows Update on a couple of my Win7 systems late last week. Wondered why. Looked for info in the MS Knowledge Base, but found nothing. Did a bit of Googling, but came up dry there as well. Decided to install it anyway “just in case”. Now I understand why the early release.

    Would have been “nice” if MS had updated their KB docs when they released MSRT last week, rather than waiting until today to do it in their blog. But at least it’s good to know *you* have got our backs.

    Thanks again Brian for all that you do!

  10. They can keep their updates, patches, and refried beans. I see no point in it. I’ll do better without it.

  11. I have been living on the edge with my XP ever since MS stopped supporting it with updates. Come to think of it, years ago I didn’t have a firewall or anti-virus software for 3 years until a friend said I should have it.

    I must be a sinner who wasn’t aware of my sin but so far XP still works for me (so far that is and not bragging).

    • XP will still work. That was never in question. Lots of older OS’s will still work. Even Win98se will still work, though I see no point in using it.

      The question is not wether or not is will still boot up or allow you to pull up webpages or run a particular piece of software. The question isn’t even really in the level of so-called safety when doing these things. The only question is wether or not you can make your computer do exactly what you want it to or need it to without submission to anyone else’s faulty ideas of what THEY think you need or should do or have. Can you make your computer bend to your will? Is it what it is because of what YOU chose or because of what someone else (like Microsoft or Apple) chose?

      The specific OS really isn’t all that important when it comes down to it. This can be done (and has been done) with Linux of all flavors for decades. Understanding ASCII is only the beginning.

      There is power in the code.

      • Thanks for the words of comfort Mike. My computer with XP had issues all the time so bending to my will never crossed my mind. At some point I expect to get hacked, blue screened or hopelessly lost for a repair of a ghastly problem at which point I will shelve it. Again, thanks for the perspective.

  12. I had 25 MS updates for my Windows 7 Professional computer this evening. Took 2.5 hours to download and install. all installed successfully!

  13. So, if I may ask, Brian,.. bearing unquantifiable hours spent on protecting, patching, W32 application “pain” and time lost in rebooting the Microsoft Operating System since Windows 3.1 and Dr. Watson days, *cough* *cough* … I’m not giving up my age :-), AND not forgeting to mention lost PRODUCTIVITY and in certain cirmunstances slow PROGRESSION and Country development

    In the past 5 years, what is the Operating system that has demonstrated the LEAST pain (effort) for both the Corporate and Home User in terms of support and maintenance?

  14. Brian, just let you know, that Microsoft has issued a FREAK update only for Windows versions till Windows 8.1/Server 2012 R2. Windows 10 TP Build 9926 is still vulnerable, as I demonstrated in my blog post http://goo.gl/f5Re8I.

    BTW: Thx for your explanations given above. As Ester D mentioned (http://goo.gl/MjwHsT) I also stumbled upon last weekends extra ordinary bus optional MSRT Windows Update. I blogged about that observation here (http://goo.gl/T5HXoJ, but it’s only in German), but I’ve had no clue, why. Maybe the Superfish issue was the reason – but it’s still unclear, why MS makes this update “optional”.

    Greetings from Germany

  15. Interesting question posed, a unlatched good is? NONE!!!
    Apple,Linux, and ms, are the most common, all patch. Even the old dos systems available patch. The only safe system out there is machine code for a specific machine, not connected. So it comes down to acceptable risk. Me, I run links, and ms, xp, and 8.1, but xp I try not to let run free, its my game machine , doom and such, as 8 legged freaks, so communications and such, as secure as I can get, mints my favorite, even my click on everything there wife can use it, and stable. Running as a stick program, backed up, every couple of days, keeps her happy. Just the others keep me busy.

    • I know Chrome OS isn’t for everyone or every environment, but it has saved me hours of frustration of fixing and patching since it is the device my wife and children use. I highly recommend it for those type of people who click on everything. As an extra layer of protection I have Adblock Plus installed in Chrome with EasyList, EasyPrivacy, and Malware Domains subscriptions in it. I also use Norton ConnectSafe on our router – https://dns.norton.com/.

    • Mint is my top linux choice as well, with cinnamon. I’ve used them all and literally beat them all to death, and its by far the best windows replacement. Some people complain that their yahoo and amazon search results go through their servers for ad money, and they feel its a privacy violation, but so what, Its free! And its the most stable and fastest linux, with all the bells and whistles you can get, but easy on hardware, and way more user friendly then ubuntu with being able to use their repos and more! I really don’t know why anybody, who is not a developer, would use anything else.

  16. A tool to remove all traces of java or update can be found at https://singularlabs.com/software/javara/ my suggestion remove all traces.

  17. thank you so much for your information. this helps me alot.may be you should run for so type of goverment postion . you and Mr Trump would be a good team.

  18. Dr. Martha Stokely

    Microsoft pushed a bunch of updates to my work PC (running Windows 7 ultimate) today. After lunch it showed 22035 registry updates being made. After that my printer preferences had been changed to 2-sided & I couldn’t get them to change back. So our IT-person opened the printer preferences (through printes and devices) and updated to my printer preferences (making them 1-sided again) did not take & all my printing remained 2-sided. So, thinking I might need to reboot to get the preferences change to take effect, I shut down my computer properly and rebooted it. It has now been 25 minutes since I rebooted but the computer still hasn’t completed booting – black screen, mobile cursor, flickering harddrive light, but Windows still hasn’t completed booting. It looks to me like Microsoft pushed a deadly update somewhere in those registry changes. Is there any way to fix it, short of wiping the hard drive and starting all over (which will only trigger the same series of updates & again disable my computer)? Any ideas?

    • Do you have any restore points established before the update occurred? If so, load the one most immediately prior to that WU snafu and see if doing so will return the OS and your printing preferences back to an earlier state more to your liking.

    • Press f8, try to repair boot. Or use a windows disc and do a system restore like Jim said, or just reinstall windows, which will just make another windows folder next to your old one so you will still have all your documents. (make sure to follow the right options) Sometimes if there was a bad error on a failed boot, windows 7 will automatically prompt you if you want to try and repair the boot on the next startup.

      Don’t think its just windows, because its funny you mention you prrinter. I had a problem with an HP driver on my mothers laptop with linux this sunday(not mint). It was stuck on rendering completed, and everything was getting stuck in qeue. Nothing would print. I tried to open the HP device manager, and got prompted about an update so I tried to install it, and I got an error saying it crashed, then the computer froze up for 10 mins. After a hard reset the HP manager wouldn’t even load anymore. I coudln’t uninstall the driver or remove the printer, so I just installed a new updated driver right next to it, and told my Mother not to click on the bad printer lol.

  19. Just downloaded the latest series of updates from windows last night. This am Desktop has been half way loaded and completely locked up for half an hour now with the fan running like something is installing. Nothing is responding including ctr+alt+delete.

    Awesome update

  20. As I see it, the biggest problem with the Windows ecosystem is that there are FAR too many variant genomes in the Windows ecosystem.

    MS simply CANNOT test their patches on ALL of the possible hardware and software configurations out there. So they only test on a subset of the most-commonly-used varieties, hoping thereby to cover most of the critical cases. Unfortunately, that strategy pretty much guarantees that at least SOME of the untested variants will inevitably fail to patch correctly. So it goes…

    • When it comes to being optimized for different hardware. Linux is worse in that regard.

  21. So, just to sum this up.

    The OS with the least effort and minimal acceptable risk is a non-Microsoft OS right? So, why has Microsoft not learned from the likes of Apple, Red Hat, SuSE/Novell?

    About 2 years ago I switched ALL my Home Users (Chief Financial Officer and Kiddies) to iPads, iPhones and MacMini, and I’ve not entertained much Tech Support crap since then. I’m in a better position to enforce my Policies and Standards (Content filtering / Parental controls) compared to my Corporate (Windows). There’s a light at the end of the tunnel through and hopefully the DLP deployment with demonstrate some Business value in the short term.

    • I’m with you on the pones, Iphones seem way more secure to me then androids. And probably smarter choice for a business, as much as I hate apple and would never use one myself. I don’t doubt it.

      But regarding Apple, Red Hat, SuSE, desktop computers, I don’t really think it makes a difference. Especially if your not a boring nerd who will never be targeted by someone, for any reason. It really all depends on how hardened the persons O/S is, which could also depend on what services and scripts used, They all still use the same browsers, etc. And they are so much more obscure then windows, who knows what never gets exposed.

      Apple and SuSe don’t have a firewall on by default. what kills me about Suse, is they made app armor, but yet you don’t get any free profiles, not even for their dam default browser, the most important. Ubuntu gives its users free apparmor profiles. . Suse doesn’t Unless you buy their enterprise version. And its pretty much deprecated now. Not sure if apparmor even has a maintainer. Fedora/Red Hat does have a firewall, and selinux, on by default. Great security out the box, But who knows what backdoors big brother has in there that 3rd parties might be exploiting.

    • You’ve decided to deal with it by giving it to Apple. Apple is in charge of your stuff now.

  22. Something to Note:
    One (or more) of this month’s MS Patches (March 2015) seemed to break communication between Outlook and Exchange Server. Typically we have workstations patch right away and servers patch the first upcoming weekend to better utilize available maintenance windows. In this case, client workstations who installed March’s patches and ran Outlook for Corporate Email, could not communicate with the Exch Server.
    Even the Outlook connection monitor window showed no threads established with the server. After not finding ANY errors in logs, I decided to apply the patches waiting at the server level; lo-and-behold, Outlook began working again once the patches were installed – even before a reboot.
    As of about 11am (on March 13th) there had not been any mention of this anywhere on the web that G00gl3 had yet indexed, so I thought this might be a good place to start warning folks.

    -=Happy Patching=-

  23. Brian ,

    I need your help. NO ACTIVE X CONTROLS.. :-( .. after the update my active x control are gone ..I am going back living a dangerous life … is there any way I can have my active x back with the new update…

  24. Ever since this most recent update last week I am blocked from everything associated with the host that I have most of my clients websites hosted on. This includes being blocked from ftp access, and from email via web or outlook. All devices connected by wifi through the router to my main pc are affected the same way. Off site or through my phone’s data plan I can get everything fine. I cannot get even get the host’s website. I can go anywhere else online except the sites I manage. The rest of the world can get them just fine.

    I have tried running several different antivirus and malware programs, clearing the internet cache, flushing the DNS, refreshing the IP address. I have been on the phone or chat with Norton, Microsoft, the host, and my Internet Service Provider. No one can help unless I pay an extra $100 which feels like extortion. I suppose I will have to pay someone but I can’t decide which will be most likely to actually solve the problem.

    Has anyone else heard of other who have this problem, or any potential solutions? I am pretty frustrated as you might guess.

    Thanks.

  25. Brian,

    I’m running Windows 8.1 pro x64 on both my laptop and desktop and after the 10th March update I got a black screen on both. It seems to be the same problem people experience the with the August 2014 update.

    Do you know if anyone else experienced this problem? And do you know if anyone has maybe isolated which update(s) is causing the problem?

    Any help would be appreciated.

    Thanks.

  26. Some rethoric – Who will invest in long term project if there are only random holes to exploit?

  27. After the updates, my gadgets disappear, my internet connect disappear, and my screen resolution is changed to the lowest resolution. Didn’t want to deal with fixing it. I performed a system restore from just before the updates. Computer back in good working order. I was stupid enough to re-apply the updates. Same thing happened.

  28. I wonder if Microsoft knew the patch did not work the whole time.

  29. I really confused when I’ve seen articles about Microsoft patches some of Stuxnet’s vulnerabilites in 2015. Several years ago when I was working in a network security project I was researching about the mechanisms Stuxnet spreading through USB and networks I watched a video there one of Microsoft team member Bruce Dang mentioned in a conference we had knew about the Stuxnet but we weren’t allowed to talk about it till now (2010). but now days that everybody knows about the Stuxnet and its mission is finished, why Microsoft haven’t patched its vulnerabilities forever? is there something remained unmentioned about the Stuxnet mission?
    I searched a lot to find the exact video I had watched that time which contained much more knowledge about the role of Microsoft in responsibility of postponing patching the vulnerabilities Stuxenet was using but I couldn’t find it yet. however the above video contains some admissions from one of Microsoft members.