Almost half a decade has passed since the disclosure of the Stuxnet attack. However, its position as a milestone in advanced cybersecurity has not much diminished, and its implications are still being explained.
In August 2014, Kaspersky Lab reported that during November 2013 and June 2014 the Windows Shell flaw (CVE-2010-2568) was detected 50 million times, attacking 19 million machines. Stuxnet-derived threats are indeed alive -- and active. This past week’s edition of Patch Tuesday unintentionally brought CVE-2010-2568 back into the spotlight.
Microsoft released MS15-020 as part of the March Patch Tuesday, an update which purportedly fixes a DLL planting vulnerability that allowed an attacker to gain remote code execution by directing a user to a web share or folder which contains the malicious files. The vulnerability was assigned CVE-2015-0096.
Closer inspection reveals that this vulnerability is actually a rehash of the same LNK vulnerability utilized in the Stuxnet malware in 2010: CVE-2010-2568. Let us examine the nature of CVE-2010-2568.
The exploit allowed an attacker to plant a DLL file along with an LNK file that would be automatically loaded as soon as a user browses to the folder containing the LNK file, by exploiting a vulnerability in the way the Windows Explorer shell treats shortcuts linking to CPL files (control panel interfaces).
The patch was released for all available OSs in August 2010, and newer OSs and service packs were shipped with it, meaning this original vulnerability could never target Windows 7 SP1 or newer (Windows 8 or 8.1) machines.
This month’s new patch, however, reveals that the original vulnerability was only partially fixed, allowing an attacker to bypass the fix by exploiting the LNK's path parsing mechanism, reaching a corner case which allows it to reproduce the original vulnerability.
As a result of this, all systems which were considered patched are now vulnerable to this new but similar vulnerability, along with all OSs released since, including Windows 8.1.
The new patch released by Microsoft incorporates code to check the loaded CPL file against a pre-determined whitelist. Palo Alto Networks Traps, however, takes a prevention-based approach even further. Not only does Traps mitigate the original vulnerability, but also the new vulnerability, thanks to more robust logic in preventing LNK files from loading foreign DLLs in CPL guise.
The examples of CVE-2010-2568 and CVE-2015-0096 are important not only because of the specific exploits and attacks related to them, but also because of how critical it is to understand that the volume of ongoing attacks is high even within systems that are considered patched and secured. The gap in the original CVE-2010-2568 patch is now fixed, but what about others now being exploited that we don’t yet know about?
Traps offers proactive prevention. Through a deep understanding of the various exploitation techniques employed by attackers, Traps proves time after time that it provides protection from zero days and yet-to-be-discovered-attacks without reliance on patching or prior knowledge.
Taking it back to CVE-2010-2568, systems protected by Palo Alto Networks Traps were safe against this exploit throughout the last few years and remain so, even without applying the new patch. That’s the power of prevention.