Exploit Code for Fourth Stuxnet Zero-Day Publicly Released

[tipo]

Hackers have released proof-of-concept exploit code for an yet unpatched Windows Vista and 7 privilege escalation vulnerability leveraged by the infamous Stuxnet worm.

Stuxnet is a highly complex threat designed for industrial espionage and sabotage, which is widely considered to be the most sophisticated piece of malware ever created.

The worm was discovered by Belarusian antivirus vendor VirusBlokAda in July and immediately captured the attention of the security industry, as it was exploiting a previously unknown Windows vulnerability to spread via USB devices.

The critical flaw, identified as CVE-2010-2568, stemmed from the way Windows parsed certain LNK files and was patched by Microsoft in an out-of-band update released in early August.

Security researchers also found that the malware spreads on local networks by exploiting a separate zero-day Windows vulnerability (CVE-2010-2729) located in the Print Spooler service, which was subsequently fixed in September.

The worm leverages this flaw to obtain local shells on LAN computers with shared printers. However, in order to execute code with administrator permissions, the threat exploits two local privilege escalation bugs, one on XP and one on Windows Vista and 7.

The XP Elevation of Privilege (EoP) vulnerability was fixed during October's Patch Tuesday, at which time Microsoft announced that "the second and final [EoP] issue will be addressed in an upcoming bulletin."

Since it wasn't covered in the November patches either, this vulnerability still has zero-day status and last Saturday, someone going by the online handle of "webDEViL" released a proof-of-concept exploit for it.

The flaw is not currently exploited in widespread attacks other than Stuxnet and requires hackers to first gain access to a limited account on the system. Therefore, it's very unlikely that Microsoft will issue an out-of-band patch in order to fix it.

It will, however, probably be addressed during next month's Patch Tuesday, which is scheduled for December 14. The Redmond giant is also currently dealing with an actively exploited zero-day vulnerability in Internet Explorer (CVE-2010-3962).

link