Windows 'Stuxnet' Patch Left Vulnerability Open

Five years after Microsoft issued a patch (archived) to "close" the vulnerability that allowed the Stuxnet virus to propagate, Microsoft today issued another patch which purports to finish closing that same vulnerability. Reportedly rather than actually resolving the vulnerability the patch issued in 2010 merely increased the difficulty threshold for exploiting the open vulnerability.

The original form of the vulnerability was first seen being exploited in 2008. In all of its form the vulnerability exploits a the way that the Microsoft Windows shell32.dll handles the .LNK files used to display icons when a usb device is connected. Ars Technica reports that Hewlett-Packard is taking the lead on presenting this vulnerability to the public with a blog post this morning (archived) and more blog posts to allegedly come.

This vulnerability as described on the Hewlett-Packard research blog appears to be born of an astoundingly negligent design decision:

Windows allows .LNK files, which define shortcuts to other files or directories, to use custom icons from .CPL (Control Panel) files. The problem is that in Windows, icons are loaded from modules (either executables or dynamic link-libraries). In fact, .CPL files are actually DLLs. Because an attacker could define which executable module would be loaded, an attacker could use the .LNK file to execute arbitrary code inside of the Windows shell and do anything the current user could.

Everything about this suggests that the environment at Microsoft which allows for such a thing to be possible at an architectural level suffers from a combination of gross incompetence and active malice at the engineering, management, and executive levels. Something like Heartbleed finds its way into an Open Source product in a way that requires at least some measure of subterfuge and distraction.

This vulnerability though represents an intentional design decision where a number of people signed off on letting the mechanism for deciding on icons to display to pipe arbitrary executable code to the system's shell. For all of the deep and long lived vulnerabilities in Open Source tools, this trivially exploitable architectural decision's longevity through several major Windows releases and a single patch which was crafted after a years long delay to preserve a form of the exploit is suggestive of an active contempt for Microsoft's individual, enterprise, and government customers. The manner in which this vulnerability was exploited earliest if further suggestive of active collusion between Microsoft and intelligence agencies operated by the United States and its close allies.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>