More on Stuxnet

September 23, 2010

Yesterday, I wrote about the sophistication of the Stuxnet worm, as revealed by analysis of its code.  Stuxnet is unusual, in part, because it contained exploits directed at a number of different vulnerabilities in Microsoft Windows.

An article on the ThreatPost blog at the security firm Kaspersky Labs reports an interesting wrinkle in this story.  It appears that one of the vulnerabilities targeted by Stuxnet, the print spooler flaw fixed by Microsoft this month in Security Bulletin MS10-061, was reported over a year earlier in a Polish security magazine.

it now appears that information about the flaw was in the public domain for more than a year before Stuxnet first appeared,buried in the pages of Hakin9, a respected bimonthly magazine published out of Warsaw, Poland. An article by security researcher Carsten Köhler describes how shared network printer functionality on Windows can be used to elevate the local user’s privileges or to gain command line access to network print servers.

According to the article, Microsoft has confirmed that the hole identified by Köhler is the same one patched in MS10-061 this month.

It’s interesting that, although the Stuxnet worm appeared a few months before Microsoft patched the vulnerability, it wasn’t launched for some time after the original article identifying the flaw appeared in 2009.  This seems consistent with the idea that the worm was not just a random act of malice, but was developed to serve a specific purpose.

Update Friday, September 24, 22:20 EDT

The “Threat Level” blog  at Wired has another interesting article on Stuxnet, with more speculation on who might have created the worm, and what its target might be (or have been).   The Internet Storm Center at the SANS Institute also has a diary entry on Stuxnet, by John Bambenek.

%d bloggers like this: