Security Experts:

Attackers Still Target Old Flaw Exploited by Stuxnet

The most commonly targeted vulnerability in 2015 was a Windows flaw that came to light in 2010 after being exploited by the notorious Stuxnet malware, Microsoft said in its latest Security Intelligence Report (SIR).

The vulnerability in question, tracked as CVE-2010-2568, affects the Windows Shell in Windows 7, Vista, XP, Server 2008 and Server 2003. A remote attacker can exploit the flaw to execute arbitrary code via specially crafted LNK or PIF files. The issue was addressed by Microsoft in August 2010 with the critical security bulletin MS10-046.

This was one of the zero-days exploited in mid-2010 by Stuxnet, the malware used in attacks aimed at Iran’s nuclear facilities. Many other malware families have leveraged the flaw since, and CVE-2010-2568 has often been named over the past years as one of the most targeted vulnerabilities.

Microsoft, whose products detect the threat as Win32/CplLnk, said attackers typically exploit the vulnerability by creating a malformed shortcut file which they deliver via social engineering and other methods.

The company noted that while CVE-2010-2568 was the most commonly targeted individual vulnerability in 2015, it does not mean that all exploit attempts were successful. The statistics are based on threats encountered by Microsoft security products, which detect exploit attempts whether or not the device is plagued by the targeted flaw.

On the other hand, the fact that attackers are targeting such an old vulnerability shows that there still are many unpatched systems.

“CVE-2010-2568, a vulnerability well known for its usage in the Stuxnet malware family in June 2010, has had a patch available since August 2nd 2010 but many systems are still being successfully targeted,” Gavin Millard, Tenable Network Security’s EMEA technical director, told SecurityWeek. “With the fascination of the latest vulnerabilities to be discovered, the newest logo’d bug to hit the media, it’s critically important that organizations don’t forget to patch the long forgotten vulnerabilities still lingering that can be easily exploited.”

In March 2015, HP researchers revealed that they had found a way to bypass Microsoft’s 2010 patch and warned that the vulnerability could still be exploited. However, Microsoft argued that HP actually found a new vulnerability and assigned it a different CVE identifier (CVE-2015-0096).

Microsoft’s SIR 20 also shows that vulnerability disclosures increased 9.4 percent between the first and second half of 2015. As for threats, Microsoft’s anti-malware products encountered roughly the same levels of operating system, Java, Flash Player, HTML/JavaScript, document and browser exploits throughout 2015. Exploit kits remained the most commonly encountered threat and they recorded a considerable increase in the last part of 2015 after steadily decreasing for more than a year.

Related Reading: PoC Exploits Mainly Distributed via Social Media

Related Reading: ICS Flaw Disclosures at High Levels Since Stuxnet Attack

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.