Microsoft patches Windows XP flaw that aided Stuxnet worm

The Stuxnet worm was discovered in July and was designed to steal industrial secrets

Microsoft Tuesday patched a critical Windows XP vulnerability that aided attacks based on the Stuxnet worm by letting attackers gain remote access through the operating system's print spooler service.

But there are still two vulnerabilities related to Stuxnet that Microsoft has not patched, according to Kaspersky Lab.

The print spooler security bulletin is one of nine issued in Microsoft's monthly Patch Tuesday, and one of four rated as critical.

Microsoft: 'We love open source'

"The most dangerous vulnerability is the Print Spooler service impersonation issue," Symantec Security Response official Joshua Talbot writes in a statement regarding the Microsoft security updates. "This vulnerability has been identified by Symantec as one of the attack vectors built into the notorious Stuxnet threat, which targets industrial control systems. This is evidence the vulnerability is already being exploited in the wild."

The Stuxnet worm was discovered in July and was designed to steal industrial secrets, claiming Siemens as one of its publicly disclosed victims.

Microsoft patched a vulnerability related to Stuxnet last month but the print spooler vulnerability represents a new attack vector for the worm. It was reported to Microsoft by Kaspersky Lab and Symantec.

Kaspersky Lab says that it has "identified yet another zero-day vulnerability in Stuxnet's code, this time an Elevation of Privilege (EoP) vulnerability. The worm uses this to get complete control over the affected system. A second EoP vulnerability was identified by Microsoft personnel, and both vulnerabilities will be fixed in a security bulletin in the near future."

That means there are four vulnerabilities related to Stuxnet, and only two have been patched.

"The fact that Stuxnet uses four previously unidentified vulnerabilities makes the worm a real standout among malware," Kaspersky writes. "It's the first time we've come across a threat that contains so many ‘surprises'."

The print spooler error fixed Tuesday affects a wide range of software including Windows 7, Windows Vista, Windows Server 2003, and Windows Server 2008. But it was only rated as "critical" for Windows XP.

"When a computer is configured to use a shared printer, a remote or local attacker can use this vulnerability to gain system-level access and add malicious code to any file in Windows' core directory where operating system files are stored," Talbot of Symantec writes. "System and configuration files in this directory often automatically execute. By overwriting one of these files, the attacker supplied code would automatically run instead of the legitimate file, resulting in the machine being completely compromised."

"This vulnerability allows for a great deal of stealth since no user interaction is required for an attacker to exploit it," Talbot continued. "Affected systems run the gamut, but Windows XP is the most vulnerable. An attacker has to be able to send a ‘print to file' command as well as other malicious instructions to the machine. XP most readily facilitates this by having a guest account with anonymous access enabled by default."

It's not unlikely that more vulnerabilitles related to Stuxnet are just waiting to be found, says Jason Miller, data and security team manager at Shavlik Technologies.

"Malware evolves," he says. "It's a big game of cat and mouse."In addition to the print spooler flaw, Microsoft patched a vulnerability in MPEG-4 codec.

"The vulnerability could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site or any application that delivers Web content," Microsoft said. "An attacker who successfully exploited this vulnerability could gain the same user rights as the local user."

The MPEG-4 security update is rated critical for various editions of Windows 7, Windows XP, Windows Vista and Windows Server.

Microsoft has not yet patched another publicly reported vulnerability, the Windows DLL load hijacking problem that allows exploitation of 41 Microsoft programs. Microsoft has published a tool to block known attacks, however.

Follow Jon Brodkin on Twitter:

Read more about software in Network World's Software section.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityMicrosoftoperating systemssoftwareWindowssymantecanti-malwarekaspersky labWindows securityStuxnet

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jon Brodkin

Network World
Show Comments



Victorinox Werks Professional Executive 17 Laptop Case

Learn more >



Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?