While all eyes are on Freak fix, Microsoft patches five-year-old Stuxnet vuln
Original patch for Iran centrifuge nemesis insufficient, according to HP cyber-sec unit
Microsoft used yesterday's Patch Tuesday to fix the infamous Freak encryption Windows flaw, but also quietly slipped in a remedy for protection against the Stuxnet worm, previously thought to have been patched in 2010, The Register reported.
Stuxnet was used to take Iran's uranium centrifuges offline by attacking Seimens Step 7 command-and-control systems using Windows machines as a staging area. The worm was programmed to be very precise in the systems it attacked, going after a certain version of Step 7; however, a study by Symantec showed just under 60% of the worm's install base to be in Iran.
Microsoft issued a patch for Stuxnet in 2010, but a recent report by HP's security unit TippingPoint claimed that fix was insufficient.
"That patch didn't completely address the .LNK issue in the Windows shell, and there were weaknesses left behind," said TippingPoint vulnerability research manager Brian Gorenc, on Kaspersky Lab's ThreatPost.
The result of the flawed fix is that vulnerabilities to Stuxnet have been present in every version of Windows from Vista and Windows Server 2003, up to Windows 8.1 and Windows Server 2012 R2. The vulnerability allowed arbitrary code to be executed by an attacker and has been deemed critical by Microsoft in its latest round of patches.
Microsoft claimed the vulnerability patched yesterday was not the same as the one for which it issued a fix in 2010.
"This is a new vulnerability that required a new security update," a company spokesperson told The Register in an email. "Microsoft released a comprehensive security fix in 2010 to address the vulnerability the Stuxnet virus exploited. As technology is always changing, so are the tactics and techniques of cybercriminals."