Stuxnet Fallout: Microsoft Patches Critical Print Spooler Hole

Microsoft patched a zero day vulnerability in Windows Print Spooler that was used by Stuxnet and says that cross vendor cooperation may be the silver lining to the Stuxnet attack.

Microsoft patched a zero day vulnerability in Windows Print Spooler that was used by Stuxnet and says that cross vendor cooperation may be the silver lining to the Stuxnet attack.

Microsoft on Tuesday announced a software update to close a critical hole in a common service used by WIndows XP systems to share local printers. Experts say the hole, which was discovered by researchers at Kaspersky Lab, was one of four previously unknown attacks used in the recent Stuxnet outbreak. 

The Redmond, Washington software maker announced the security fix as part of its monthly “Patch Tuesday” update. The company, last week, announced fixes for 13 vulnerabities (https://threatpost.com/microsoft-patch-13-security-holes-windows-office-090910/) affecting Windows, Microsoft Office and the Internet Information Services (IIS) products. The hole, if left unpatched, could allow an attacker to connect to the print spooler service on a compromised Windows XP system without authenticating first, said Maarten Van Horenbeeck, Senior That could allow attackers who had already compromised the security of a Windows XP host to “elevate their privileges,” gaining administrative access to the system. 
Microsoft said the hole was discovered by researhers at Kaspersky Lab as part of an industry-wide reaction to the recent Stuxnet attacks, which leveraged two previously unknown (or “zero day”) Windows exploits to propagate and signed binaries using legitimate certificates stolen from Realtek Semiconductor. VeriSign subsequently revoked those signing certificates. (http://threatpost.com/en_us/blogs/verisign-revokes-certificate-used-sign-stuxnet-malware-071710). 
“We were all trying to figure out how Stuxnet elevated its privileges on compromised systems. Kaspersky was the first to identify the print spooler service as the source of one of the privilege escalations vulnerabilities,” said  Van Horenbeeck. 
Security researchers at Kaspersky Lab, which is part of Microsoft’s Active Protection Program (MAPP) shared information about the vulnerability with Microsoft, which as subsequently contacted by researchers at Symantec Corp., who had independently discovered the same hole in the print spooler service. (Editor’s Note: Threatpost.com is an online security publication of Kaspersky Lab.) Microsoft waited for those separate analyses to be completed before releasing its own bulletin on the print spooler service hole. MS10-XX.
“Kaspersky responsibly disclosed this one to Microsoft after researching the malware thoroughly, and worked with Microsoft to identify and report others,” said Kurt Baumgartner, a senior security researcher at Kaspersky Lab. Alex Gostev, Kaspersky’s lead researcher, will present technical details on the vulnerability at the Virus Bulletin conference in Vancouver, British Columbia, at the end of the month.  
Though Microsoft has rated the print spooler service vulnerability critical on Windows XP systems, it is unlikely to be used outside of Stuxnet attacks or similar compromises. 
“We have no evidence that the vulnerability was exploited outside of Stuxnet,” said Van Horenbeeck. While the privilege escalation attack was useful for the Stuxnet authors, it was used sparingly even by Stuxnet and is unlikely to be used on a wide scale, because it requires attackers to first compromise a machine and then share a printer from that system. “It’s not a common scenario,” he said. 
The prilege escalation was just one component of what security researchers agree was one of the most sophisticated malware attacks ever. Cooperation between vendors as part of MAPP helped to accelerate response, Microsoft said. 
“This code is not five year old script kiddie stuff like we often see gussied up in the media,” Baumgartner wrote in an e-mail. “It’s the stuff that well funded groups with highly technical talent implement.” 
Microsoft was quick to cite the MAPP program as a contributor to the success. That cross- industry partnership has gained adherants. Adobe, in July, announced that it would give  join MAPP and give members a head start on vulnerabilities in its own products. But the Redmond, Washington software maker ruled out cash payments for information on vulnerabilities – at least for now – citing the success of its cooperative work with other vendors and a desire to do what’s “good for customers.”

The Redmond, Wash., software maker announced the security fix as part of its monthly Patch Tuesday update. Microsoft announced fixes for 13 vulnerabilities affecting Windows, Microsoft Office and the Internet Information Services (IIS) products. One of those patches, MS10-061 covers a Print Spooler Service Impersonation Vulnerability that, if left un-patched, could allow an attacker to spread on computer networks through local printers shared from infected machines, said Maarten Van Horenbeeck, Senior Program Manager at Microsoft’s Security Response Center (MSRC). 

In a blog post, Kaspersky Lab researcher Alexander Gostev said the Print Spooler hole was one of four previously unknown, or “zero day” holes that Stuxnet used. (Editor’s Note: Threatpost.com is an online security publication of Kaspersky Lab.) 

 

“This makes Stuxnet truly unique: it is the first threat we have encountered that contains this many surprises in a single package,” Gostev wrote. 

Kaspersky Lab is part of Microsoft’s Active Protection Program (MAPP). The company shared information about the vulnerability with Microsoft as soon as it was identified. The same hole was subsequently discovered by researchers at Symantec Corp, as well. Microsoft waited for those separate analyses to be completed before releasing its own bulletin on the print spooler service hole, MS10-061.

“Kaspersky responsibly disclosed this one to Microsoft after researching the malware thoroughly, and worked with Microsoft to identify and report others,” said Kurt Baumgartner, a senior security researcher at Kaspersky Lab.

Microsoft said details on the Print Spooler hole came to light in the wake of the worm outbreak, as researchers across the AV industry took the malware apart to discover how it compromised systems and spread.

 

“We were all trying to figure out how Stuxnet elevated its privileges on compromised systems. Kaspersky was the first to identify the print spooler service as the source of one of the privilege escalations vulnerabilities,” said  Van Horenbeeck. 

The worm, which was designed to steal data stored on systems running Siemens’ Simatic WinCC SCADA software, also distributed malicious binaries that were signed using legitimate certificates stolen from Realtek Semiconductor. VeriSign subsequently revoked those signing certificates.

Though Microsoft has rated the print spooler service vulnerability critical on Windows XP systems, it is unlikely to be used outside of Stuxnet attacks or similar compromises, Van Horenbeeck said, noting that it requires attackers to first compromise a machine and then share a printer from that system.  

“It’s not a common scenario and we have no evidence that the vulnerability was exploited outside of Stuxnet,” he said.

Microsoft was quick to cite the MAPP program as a contributor to the success. Cooperation between vendors as part of MAPP helped to accelerate response, Microsoft said. 

The cross- industry partnership has gained adherents. Adobe, in July, announced that it would join MAPP and give members a head start on vulnerabilities in its own products. But Microsoft ruled out cash payments for information on vulnerabilities – at least for now – citing the success of its cooperative work with other vendors and a desire to do what’s “good for customers.”

Gostev will present technical details on the vulnerability at the Virus Bulletin conference in Vancouver at the end of the month.  

Suggested articles