Holes used by the Stuxnet worm remain in Windows XP

[err0r]

SOFTWARE PATCH OUTFIT Microsoft has left a gaping hole used by the Stuxnet worm in Windows XP just one day after Patch Tuesday.

 

We reported last week that Microsoft had a larger than usual Patch Tuesday this month with four critical updates for XP alone. Last month the company plugged exploits used by the recently discovered Stuxnet worm but Kaspersky Labs has discovered two more vulnerabilities.

 

Kaspersky Labs insecurity expert Aleks blogged that Stuxnet had a couple of surprises up its sleeve.

 

"The worm doesn't just spread by using the LNK vulnerability. Once it's infected a computer on a local network, it then attempts to penetrate other computers using two other propagation routines."

 

The worm is designed to exploit the MS08-067 vulnerability but it's the previously unknown printer spool service attack that raises more interest.

 

"This vulnerability makes it possible for malicious code to be passed to, and then executed on, a remote machine. Two files (winsta.exe and sysnullevent.mof) appear on attacked systems," Aleks wrote. "It's not just the way in which the malicious code gets on to the remote machine which is interesting, but also how the code then gets launched for execution."

 

Kaspersky Labs informed Microsoft, so it has rushed out a critical MS10-061 security bulletin.

 

The bulletin reads, "The vulnerability could allow remote code execution if an attacker sends a specially crafted print request to a vulnerable system that has a print spooler interface exposed over RPC. By default, printers are not shared on any currently supported Windows operating system."

 

The update is not only critical for all flavours of Window XP but also important for Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

 

It seems Windows sysadmins' patching work is never done.

 

Source: Spencer Dalziel