Patch Tuesday March 2015 – Stuxnet LNK 0day Fixed
Wait, what? Wasn’t the Stuxnet LNK vulnerability CVE-2010-2568, in part reported by Sergey I. Ulasen, patched years ago? Didn’t Kim Zetter have enough time to write 448 pages of thoroughly footnoted research on this digital weaponry?
Yes, it was, but MS10-046 didn’t completely fix all of the vulnerable code path. And, we just might start to call it the Fanny LNK 0day, after the poorly QA’d USB worm spread across Pakistan using the same LNK exploit. However, we have not observed a newer implementation of this LNK exploit in-the-wild. Yet.
So, machines have remained vulnerable to an actively exploited codebase providing USB support since at least 2008. German researcher Michael Heerklotz reported the remaining flaws in January, and an excellent technical writeup describing his findings is posted on the ZDI blog here. Essentially, an attacker has to create a malicious LNK file with a link path of exactly 257 characters containing embedded unescaped spaces, and two “target” files – one with embedded unescaped spaces and one without. This is not difficult on a usb stick, and it bypasses much of the effective defenses Microsoft has developed for years. “Microsoft has gone to a great deal of effort to make exploitation of memory corruption bugs more difficult. This is a classic example of the Defender’s Dilemma — the defender must be strong everywhere, while the attacker needs to find only one mistake.” In this case, it’s more that the attacker had to chain together a complex series of overlooked steps.
Microsoft’s release of thirteen other bulletins includes a large rollup of fixes for RCE across all versions of Internet Explorer, IE6 – IE11. This MS15-018 bulletin is rated critical, and it requires a reboot.