March 11, 2015 at 05:29Microsoft incorrectly fixed vulnerability used by Stuxnet worm
Security community experts at Zero Day Initiative (ZDI) have published information about a new critical Remote Code Execution vulnerability in Windows (CVE-2015-0096) that Microsoft closed with update MS15-020 . The peculiarity of this vulnerability is that it appeared back in 2010, when Microsoft released an update to fix the notorious CVE-2010-2568 vulnerability, which allowed arbitrary code to be executed on the system using a specially crafted .LNK file (shortcut file).
This vulnerability was used by the Stuxnet worm for its distribution and, as it has now become known, over the past five years after the release of the patch, users were still at risk of possible exploitation. Files of the .LNK type allow you to specify in your body a link to an executable PE-file, from which Windows can take an icon to display it in the shell (Explorer).
Vulnerabilities CVE-2015-0096 ( DLL Planting Remote Code Execution Vulnerability ) are affected by all versions of Windows, including the latest Windows 8.1 and Windows 10 TP. As can be seen from the description of this vulnerability, which was made by Microsoft itself, the mechanism of its operation coincides with the 2010 vulnerability (CVE-2010-2568), an attacker can place a malicious .LNK file on a removable drive and, if the autorun mechanism is enabled, execute the malicious program in system. The same may apply to other file sources, including, network location, malicious website.
The MS15-020 update is addressed to the Shell32.dll library ( KB3039066 ).
A full description of the vulnerability can be found in a detailed ZDI study .
This vulnerability was used by the Stuxnet worm for its distribution and, as it has now become known, over the past five years after the release of the patch, users were still at risk of possible exploitation. Files of the .LNK type allow you to specify in your body a link to an executable PE-file, from which Windows can take an icon to display it in the shell (Explorer).
The vulnerability exists when Windows parses shortcuts in a way that could allow malicious code to be executed when the icon of a specially crafted shortcut is displayed. For the vulnerability to be exploited a user would have to use Windows Explorer to browse to a malicious website, remote network share, or local working directory (note that other methods of browsing to a working directory, such as via cmd.exe or powershell. exe, do NOT trigger the exploit). Additionally, the vulnerability could be exploited through USB removable drives, particularly on systems where AutoPlay has been enabled.
Vulnerabilities CVE-2015-0096 ( DLL Planting Remote Code Execution Vulnerability ) are affected by all versions of Windows, including the latest Windows 8.1 and Windows 10 TP. As can be seen from the description of this vulnerability, which was made by Microsoft itself, the mechanism of its operation coincides with the 2010 vulnerability (CVE-2010-2568), an attacker can place a malicious .LNK file on a removable drive and, if the autorun mechanism is enabled, execute the malicious program in system. The same may apply to other file sources, including, network location, malicious website.
A remote code execution vulnerability exists when Microsoft Windows improperly handles the loading of DLL files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
The MS15-020 update is addressed to the Shell32.dll library ( KB3039066 ).
A full description of the vulnerability can be found in a detailed ZDI study .