Microsoft Patches Old Stuxnet Bug, FREAK Vulnerability

Microsoft’s March 2015 Patch Tuesday security bulletins include patches for an old Stuxnet LNK vulnerability and the FREAK SSL vulnerability.

Windows IT shops figure to be in for some scrambling today. Not only was it revealed that a five-year-old patch for a vulnerability exploited by Stuxnet was incomplete and machines have been exposed since 2010, but today is also Patch Tuesday and the updated Stuxnet patch is one of 14 bulletins released by Microsoft.

Five of the bulletins are rated critical by Microsoft, and include another Internet Explorer rollup and a patch for the recently disclosed FREAK attack. Microsoft also released an advisory announcing that SHA-2 code signing support has been added to Windows 7 and Windows Server 2008 R2. Later versions of Windows desktop and server OSes already include support for SHA-2 signing and verification, Microsoft said.

The highest profile bulletin, however, is MS15-020 which resolves some issues left behind by the original Stuxnet patch, CVE-2010-2568, released in August 2010. The bulletin covers two remote code execution vulnerabilities, one addressing how Windows handles loading of DLL files, and the other patches how Windows Text Services improperly handles objects in memory.

The DLL planting vulnerability was used by Stuxnet to attack the Iranian nuclear program in 2009. If a user viewed a folder or directory storing a malicious .LNK file, the exploit would allow the attacker to run code of their choice remotely.

The issue was reported to HP’s Zero Day Initiative, which worked with Microsoft providing it with details and a proof of concept exploit that was used to build a new patch.

The IE bulletin, MS15-018, addresses a number of memory corruption and elevation of privileges vulnerabilities in the browser.

“The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory, by modifying how the VBScript scripting engine handles objects in memory, by helping to ensure that cross-domain policies are properly enforced in Internet Explorer, and by adding additional permission validations to Internet Explorer,” Microsoft said in its advisory.

The vulnerability is rated critical for all client versions of IE going back to IE6, while it’s rated moderate going back to IE6 on Windows Server.

Microsoft said that one of the elevation of privilege vulnerabilities has been publicly disclosed and exploited. Some details on CVE-2015-0072 were disclosed in early February by U.K. researcher David Leo of Deusen. The vulnerability, a universal cross-site scripting (XSS) bug, could be exploited to steal information or inject code into domains on the browser on Windows 7 and 8.1, he said.

Microsoft also patched a critical vulnerability in the Windows VBScript scripting engine that could lead to remote code execution. MS15-019 patches the flaw, which can be exploited if a user is led to a website hosting an exploit. VBScript 5.8 in IE 8-11 are affected by the vulnerability, which exists in the way the VBScript engine, when rendered in IE, handles objects in memory.

Microsoft also patched critical remote code execution vulnerabilities in Office. The critical bugs in MS15-022 lead to remote code execution and can be exploited via malicious Office documents. In addition to Office software, Sharepoint is also affected with a pair of cross-site scripting vulnerabilities.

The final critical bulletin is MS15-021, patches eight vulnerabilities in the Adobe Font Driver, four of them critical remote code execution bugs, along with less-severe information disclosure and denial of service vulnerabilities.

The critical RCE vulnerabilities are exploited over the web by taking advantage of a flaw in the way the driver improperly overwrites objects in memory. None of the vulnerabilities were publicly disclosed, nor have they been exploited in the wild.

Microsoft also released a bulletin addressing the FREAK vulnerabilities. MS15-031 specifically patches the security feature bypass vulnerability in Schannel, the Windows implementation of SSL/TLS, that enables FREAK attacks. FREAK forces systems to downgrade the key length of an RSA key to a crackable 512 bits, enabling a man-in-the-middle attack putting supposedly encrypted traffic at risk.

Initially, it was believe that FREAK was confined to certain SSL clients, including OpenSSL, but Microsoft released an advisory on March 5 warning about Schannel’s exposure.

“The security update addresses the vulnerability by correcting the cipher suite enforcement policies that are used when server keys are exchanged between servers and client systems,” Microsoft said.

Of the remaining bulletins, all of which are rated important by Microsoft, MS15-027 merits attention. The bulletin patches a vulnerability in Windows Netlogon by modifying the way it handles secure channels.

“The vulnerability could allow spoofing if an attacker who is logged on to a domain-joined system runs a specially crafted application that could establish a connection with other domain-joined systems as the impersonated user or system,” Microsoft said in its advisory, adding that the severity is lessened because an attacker would have to be logged on to a domain-joined system and be able to observe network traffic.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.