Microsoft patched a zero day vulnerability in Windows Print Spooler that was used by Stuxnet and says that cross vendor cooperation may be the silver lining to the Stuxnet attack.
Microsoft on Tuesday announced a software update to close a critical hole in a common service used by WIndows XP systems to share local printers. Experts say the hole, which was discovered by researchers at Kaspersky Lab, was one of four previously unknown attacks used in the recent Stuxnet outbreak.
The Redmond, Wash., software maker announced the security fix as part of its monthly Patch Tuesday update. Microsoft announced fixes for 13 vulnerabilities affecting Windows, Microsoft Office and the Internet Information Services (IIS) products. One of those patches, MS10-061 covers a Print Spooler Service Impersonation Vulnerability that, if left un-patched, could allow an attacker to spread on computer networks through local printers shared from infected machines, said Maarten Van Horenbeeck, Senior Program Manager at Microsoft’s Security Response Center (MSRC).
In a blog post, Kaspersky Lab researcher Alexander Gostev said the Print Spooler hole was one of four previously unknown, or “zero day” holes that Stuxnet used. (Editor’s Note: Threatpost.com is an online security publication of Kaspersky Lab.)
“This makes Stuxnet truly unique: it is the first threat we have encountered that contains this many surprises in a single package,” Gostev wrote.
Kaspersky Lab is part of Microsoft’s Active Protection Program (MAPP). The company shared information about the vulnerability with Microsoft as soon as it was identified. The same hole was subsequently discovered by researchers at Symantec Corp, as well. Microsoft waited for those separate analyses to be completed before releasing its own bulletin on the print spooler service hole, MS10-061.
“Kaspersky responsibly disclosed this one to Microsoft after researching the malware thoroughly, and worked with Microsoft to identify and report others,” said Kurt Baumgartner, a senior security researcher at Kaspersky Lab.
Microsoft said details on the Print Spooler hole came to light in the wake of the worm outbreak, as researchers across the AV industry took the malware apart to discover how it compromised systems and spread.
“We were all trying to figure out how Stuxnet elevated its privileges on compromised systems. Kaspersky was the first to identify the print spooler service as the source of one of the privilege escalations vulnerabilities,” said Van Horenbeeck.
The worm, which was designed to steal data stored on systems running Siemens’ Simatic WinCC SCADA software, also distributed malicious binaries that were signed using legitimate certificates stolen from Realtek Semiconductor. VeriSign subsequently revoked those signing certificates.
Though Microsoft has rated the print spooler service vulnerability critical on Windows XP systems, it is unlikely to be used outside of Stuxnet attacks or similar compromises, Van Horenbeeck said, noting that it requires attackers to first compromise a machine and then share a printer from that system.
“It’s not a common scenario and we have no evidence that the vulnerability was exploited outside of Stuxnet,” he said.
Microsoft was quick to cite the MAPP program as a contributor to the success. Cooperation between vendors as part of MAPP helped to accelerate response, Microsoft said.
The cross- industry partnership has gained adherents. Adobe, in July, announced that it would join MAPP and give members a head start on vulnerabilities in its own products. But Microsoft ruled out cash payments for information on vulnerabilities – at least for now – citing the success of its cooperative work with other vendors and a desire to do what’s “good for customers.”
Gostev will present technical details on the vulnerability at the Virus Bulletin conference in Vancouver at the end of the month.