Skip to main content

Microsoft overlooks four Stuxnet zero-day bugs in Patch Tuesday

Despite a larger than usual Patch Tuesday addressing 13 vulnerabilities yesterday, Microsoft appears to have left out a few vulnerabilities that the Stuxnet worm exploits. First publicized in July attacking vulnerable systems via a Windows shortcut bug, Stuxnet apparently uses four additional zero-day bugs and two stolen digital certificates to game the OS’s escalation of privileges system, according to security researchers at Kaspersky Labs.

Yesterday’s Patch Tuesday was also notable because it included four critical updates for XP. A previously-known Stuxnet-exploit in Windows’ Print Spooler service was part of yesterday’s Patch Tuesday group. The Windows shortcut issue was patched in August.

Related Videos

The latest vulnerability that Stuxnet has been exploiting involves yet another bug in Windows’ Print Spooler service.  This vulnerability affects Windows XP, Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2, according to Microsoft. The attacker can take control of a computer by sending a specially crafted print request to a vulnerable system where the print spooler service is exposed without authentication.

Microsoft rated the hole  “critical” for Windows XP but only “important” for the other supported versions of Windows.

Microsoft will be addressing these isses.

“These are local EoP issues which means that an attacker, in this case Stuxnet, already has permission to run code on the system or has compromised the system through some other means,” wrote Jerry Bryant, group manager of Microsoft’s Response Commuications on the blog.

First reported by security vendor VirusBlokAda, the worm targeted Siemens’ Simatic WinCC and PCS 7 software, which run on industrial control systems. This has minimized the worm outbreak, as most operators separate the control network from business and public networks.

Editors' Recommendations

Windows 8 dropped by Microsoft in latest Patch Tuesday
Microsoft HQ 2

It's the second Tuesday of the first month of 2016, which means it's time for Microsoft's first security update of the year -- and it's a big one. Not in that it opens up new features and improves performance across the board, but because it brings an end to mainstream support for the Windows 8 OS and several versions of Internet Explorer.

Microsoft has a history of providing long-standing support for many of its operating systems, but there is always a cut off point; there's only so much time and resources Microsoft can put into propping up old platforms. And today marks the final resting place of Windows 8. Anyone continuing to use it without the 8.1 service pack upgrade will no longer have full support.

Read more
Microsoft puts ‘Patch Tuesday’ out to pasture, promises quicker security updates
windows 10 features news changes release date version 1432203228 windows10header

At this rate, we may not even recognize Windows in the next few years.

Among the many announcements which are heralding fundamental changes in the way Windows 10 will operate compared to its predecessors, perhaps none are as important as Microsoft's announcement that the company will finally be doing away with the controversial "Patch Tuesday" update schedule.

Read more
What is a zero-day attack, and can anything defend against it?
great news for job seekers in 2016 especially if youre tech programmer

The easiest way to describe a zero-day is to break it down into its component parts. We start out with "zero," which is the number of "days" that a vulnerability in a popular piece of software or hardware has been known and has gone un-patched by the developers of the device or program that's been exploited. A zero-day is a previously unknown threat, so there's no patch to combat it.

Zero-days continue to represent one of the biggest thorns in the side of Internet security. Thorns that, while difficult to defend against directly, can still be avoided with a proper set of tools and techniques ready at your side.
Zero-Day 101
While of course time is of the essence in network security just as much as it is in any other industry, with zero-days, sometimes all the hours in the day wouldn't be enough to stop the most enterprising and determined of hackers. These are people who know the ins-and-outs of networking equipment like it's their job, because it is. The more vulnerabilities they discover, the more profit rolls in, either from selling the exploits to others directly or using them for their own ends.

Read more