Microsoft Patches EoP Vulnerability Exploited by Stuxnet

In its monster batch of security updates released yesterday, Microsoft included a fix for one of the remaining two zero-day vulnerabilities exploited by the Stuxnet industrial espionage worm.

This month's Patch Tuesday has seen a number of 16 security bulletins, covering a record-breaking 49 vulnerabilities located in Windows, Internet Explorer, Microsoft Office and .NET Framework components.

One of these bulletins (MS10-073) resolves three publicly disclosed privilege elevation (EoP) vulnerabilities in Windows kernel-mode drivers.

Their successful exploitation allows attackers with access to restricted accounts to execute potentially malicious code as SYSTEM.

One of these vulnerabilities, identified as CVE-2010-2743, is leveraged by the infamous Stuxnet worm in one of its propagation routines.

The malware first obtains a local shell on a target computer by exploiting the Print Spooler flaw (CVE-2010-2729) patched last month, and then uses an EoP bug to execute malicious code.

At the time of its discovery in July, Stuxnet, which is now considered the most sophisticated piece of malware in history, was exploiting four zero-day vulnerabilities in Windows.

One was an extremely dangerous LNK parsing bug (CVE-2010-2568 ), that was patched by Microsoft in an out-of-band security update released at the beginning of August.

The Print Spooler shell vulnerability affects all supported operating systems, but the Stuxnet flaw fixed yesterday can only be used to elevate privileges on Windows XP.

This means that a similar vulnerability affecting Windows 7 and Vista remains unpatched. This is confirmed by Carlene Chmaj, Security Response Senior Communications Manager at Microsoft, who says that "The second and final [EoP] issue will be addressed in an upcoming bulletin."

Four bulletins released yesterday, MS10-071 (IE), MS10-076 (EOT Fonts), MS10-077 (.NET Framework) and MS10-075 (Media Player) are rated as critical and have a maximum deployment priority.

It's worth pointing out that many of the vulnerabilities they cover can be exploited by driving victims to a maliciously crafted webpage and are likely to see exploit code developed for them in the next 30 days.

Attacks where vulnerabilities are exploited over the Web in order to infect computers with malware, are called drive-by downloads and are very common.