Stuxnet Redux: Microsoft patches Windows vuln left open for FIVE YEARS

While most of the attention this Patch Tuesday has been focused on the FREAK encryption vulnerability, Microsoft's latest batch of fixes also addresses another longstanding threat to Windows: Stuxnet.

What's that you say? You thought Microsoft already issued a patch that stopped the Stuxnet worm from spreading all the way back in 2010? So did everybody else. Unfortunately, that emergency update didn't quite do the job, according to a new report by HP's TippingPoint security wing.

"That patch didn't completely address the .LNK issue in the Windows shell, and there were weaknesses left behind," Brian Gorenc, a TippingPoint vulnerability research manager, told Kaspersky Lab's ThreatPost.

The upshot is that countless Windows machines have been left vulnerable to Stuxnet and other, similar attacks for the past five years.

The lingering flaws were first discovered by German security researcher Michael Heerklotz, who reportedly disclosed them to HP's Zero Day Initiative in January.

The bugs are present in every version of Windows from Vista and Windows Server 2003 all the way up to the latest Windows 8.1 and Windows Server 2012 R2.

Fortunately, Redmond thinks it has the issue licked this time. The fixes are included in MS15-020, one of the swath of patches that shipped with Microsoft's March 2015 Patch Tuesday update bundle.

It's not known whether these vulnerabilities have been exploited in the wild since the initial Stuxnet hullabaloo, years ago, but it's more than likely. Gorenc said exploit code is easy to generate and it doesn't need to bypass any of Windows' memory protection mechanisms to work.

A successful exploit gives an attacker the ability to execute arbitrary code, which explains why Microsoft has assigned "critical" severity to the MS15-020 patch on every affected platform.

Word of Microsoft's incomplete Stuxnet patch comes not long after the Kaspersky Group's revelation that a secretive organization dubbed the "Equation Group" has been churning out sophisticated malware for as long as two decades, possibly including Stuxnet itself.

While Kaspersky was reluctant to point the finger, sources with links to the US intelligence community told Reuters that the real force behind the Equation Group was none other than the NSA.

When El Reg asked Microsoft why the 2010 patch didn't fully solve this issue, a spokesperson told us that the latest exploit method isn't the same as the one that was addressed in the earlier patch.

"This is a new vulnerability that required a new security update," we were told via email. "Microsoft released a comprehensive security fix in 2010 to address the vulnerability the Stuxnet virus exploited. As technology is always changing, so are the tactics and techniques of cybercriminals." ®