A security flaw affecting Microsoft’s Windows operating system that was exploited by the Stuxnet worm was publicly disclosed more than a year before the worm appeared, according to a researcher at Symantec Corp.
On September 17, Symantec researcher Liam O Murchu noted on that company’s Connect blog that a security publication in April, 2009 had described the same flaw in the Windows Print Spooler Service function that Stuxnet used. Microsoft disclosed and patched the hole in its September security update on September 14, saying it learned of the vulnerability from researchers at Kaspersky Lab.
O Murchu was one of a handful of security researchers who discovered the Print Spooler Service hole as part of a forensic analysis of Stuxnet. The vulnerability, which was believed at the time to be previously undisclosed, affects most versions of Windows, could allow remote code to be run on vulnerable systems. Microsoft issued a security update, MS10-061, closing the hole and commending researchers at Kaspersky Lab and Symantec for relaying information about the vulnerability.
However, it now appears that information about the flaw was in the public domain for more than a year before Stuxnet first appeared, buried in the pages of Hakin9, a respected bimonthly magazine published out of Warsaw, Poland. An article by security researcher Carsten Köhler describes how shared network printer functionality on Windows can be used to elevate the local user’s privileges or to gain command line access to network print servers. The article details both privilege escalation attacks and attack code for carrying out remote code excecution on a vulnerable Windows system.
O Morchu said that Microsoft has confirmed that the vulnerability described by Carsten Köhler is the same as the hole that was patched by MS10-061. Microsoft did not immediately respond to requests for comment, but a company spokesman also acknowledged, in a published report, that details of the hole were discussed in a security publication in April, 2009, but said that the company was not made aware of the issue at the time.
The Print Spooler Service hole was just one of four Windows security flaws that were believed to be unknown at the time Stuxnet was identified in the wild. Three other flaws have yet to be patched by Microsoft, which promises fixes in the coming months.
The sophistication of the worm and its ability to compromise industrial control systems by Siemens Inc. has led to speculation that Stuxnet was the work of state-sponsored hackers and may have had a specific target in mind. In recent days, attention has turned to Iran and the country’s controversial Bushehr nuclear reactor. Iran had the highest rate of Stuxnet infections in the world, and some speculate that the worm started as a targeted attack against Bushehr or related facilities, but then jumped the fence to India and other countries.
Attention now shifts to the researcher in question, Carsten Köhler, who is described as a former Ernst & Young employee who now “works as an information systems security expert for a European institution.” Researchers typically relay their findings to Microsoft’s Security Response Center in advance of, or at the time they decide to go public. After a dust up with Google, the company recently revised its policy of “responsible disclosure” to advocate “coordinated vulnerability disclosure,” encouraging researchers to give the company an opportunity to patch security holes before details of them are made public.