As soon as we identified the vulnerability we informed Microsoft about the problem and they confirmed our findings. The vulnerability has been identified as “Print Spooler Service Impersonation Vulnerability” and rated “critical”. Today Microsoft released MS10-061, a patch which fixes this vulnerability. Analysis of the vulnerability shows that it’s computers with shared access to a printer which are at risk of infection. During analysis, we searched our collection for other malicious programs capable of using this vulnerability. Happily, we didn’t find anything. On top of all this, we've identified yet another zero-day vulnerability in Stuxnet's code, this time an Elevation of Privilege (EoP) vulnerability. The worm uses this to get complete control over the affected system. A second EoP vulnerability was identified by Microsoft personnel, and both vulnerabilities will be fixed in a security bulletin in the near future. The fact that Stuxnet uses four previously unidentified vulnerabilities makes the worm a real standout among malware. It’s the first time we’ve come across a threat that contains so many “surprises”. Add to this the use of Realtek and JMicron certificates, and remember that Stuxnet’s ultimate aim is to access Simatic WinCC SCADA systems. Stuxnet was undoubtedly created by professionals who’ve got a thorough grasp of antivirus technologies and their weaknesses, as well as information about as yet unknown vulnerabilities and the architecture and hardware of WinCC and PSC7. Together with Microsoft and other AV companies, so far we’ve spent more than two months looking at Stuxnet. We’ll be presenting our findings, including a detailed look at how the vulnerability works, at the end of the month at the Virus Bulletin conference.
2010 Sep 14, 22:19
Looking forward to see your presentation at VB!!