Microsoft devoted yet another patch this month to close off the possible spread of the insidious worm, which was built to target industrial control systems, specifically Simatic WinCC and PCS7 products, manufactured by Siemens, a major SCADA systems manufacturer.
In addition to the patch, released Tuesday as part of Microsoft's September security update, engineers at the software giant are investigating two other zero-day vulnerabilities being leveraged by Stuxnet attackers.
Last month, as part of an emergency patch release, the software giant plugged a hole involving the way the operating system handles shortcut files (.lnk). The flaw could have permitted a malicious .lnk file installed on a USB device to infect a machine with Stuxnet simply by a user viewing the related icon. As a complement to the patch, Microsoft also updated its Malicious Software Removal Tool to detect and remove the threat.
But now comes word that the authors of the pesky worm have discovered other weaknesses in Windows that can be used to spread their creation.
On Tuesday, Microsoft released a patch, MS10-061, for a vulnerability that also allows Stuxnet to propagate via the Windows Print Spooler service. The flaw, rated "critical" on Windows XP platforms and discovered by researchers at Symantec and Kaspersky Lab, "is used by Stuxnet to spread to systems inside the network where the Print Spooler Service is exposed without authentication," Jerry Bryant, group manager of response communications at Microsoft, wrote in a Tuesday blog post.
"Analysis of the vulnerability shows that it's computers with shared access to a printer which are at risk of infection," wrote Aleks Gostev, head of Kaspersky Lab's Global Research and Analysis Team. "During analysis, we searched our collection for other malicious programs capable of using this vulnerability. Happily, we didn't find anything."But the threat doesn't end there. Bryant said Microsoft now is investigating another two unpatched vulnerabilities that can permit elevation-of-privilege (EoP) for Stuxnet attackers, when used in conjunction with remote-execution flaws.
"These are local EoP issues, which means the attacker, in this case Stuxnet, already has permission to run code on the systems or has compromised the system through some other means," Bryant said. "We are currently working to address both issues in a future bulletin."The complex, versatile and seemingly undying nature of Stuxnet is presenting a unique challenge for Microsoft and anti-malware providers.
"A threat using one zero-day vulnerability by itself is a quite an event," Liam O'Murchu, manager of operations at Symantec Security Response, wrote in a Tuesday blog post. "However, a threat using four zero-day vulnerabilities is extraordinary and is unique to this threat. This is the first time we have ever encountered a threat using so many unknown and unpatched vulnerabilities."
Gostev said the writers of Stuxnet have a "thorough grasp of anti-virus technologies and their weaknesses, as well as information about as-yet unknown vulnerabilities and the architecture of WinCC and PSC7."
Also on Tuesday, Microsoft delivered eight other patches, three labeled critical and five "important," to address 10 other vulnerabilities.
Microsoft deems the only other high-priority fix to be MS10-062, a critical bulletin that remediates a vulnerability in the MPEG-4 codec and affects Windows XP, Server 2003, Vista and Server 2008, Bryant said. The flaw can be exploited if an attacker tricks a user into visiting a malicious website or opening a specially crafted media file.
The two other critical bulletins fix holes in Outlook and Unicode Scripts Processor but are not considered to be imminently exploitable. The "important" patches address bugs in Internet Information Services (IIS), LSASS, Remote Procedural Call, WordPad Text Converter and Windows Client/Server Run-Time.
All of the patches can be installed here.