Researchers Uncover Stuxnet-Style Flaw In Windows

Ten years after the Stuxnet computer worm was first uncovered in 2010, security researchers have found two unpatched flaws in the same Windows component exploited by Stuxnet to attack critical infrastructure systems.

Stuxnet attacked its targets via a flaw in the 20-year-old Windows Print Spooler, which acts as an interface between Windows and a printer, loading the printer driver, queueing print jobs and carrying out other printing-related tasks.

The Stuxnet worm, thought to be a cyber-weapon jointly developed by the US and Israel, used its Windows Print Spooler flaw, known as CVE-2010-2729, to gain remote access to a system in order to execute malicious code.

More recently, in May 2020, Microsoft patched CVE-2020-1048, a privilege-escalation vulnerability in the Print Spooler that could allow an attacker to gain the highest level of system privileges, effectively allowing them to take control of a system.


Patch bypass

But two researchers, Tomer Bar and Peleg Hadar of SafeBreach Labs, have now discovered that Microsoft’s patch was not complete, and can be bypassed to re-exploit the same issue.

Microsoft has assigned the designation CVE-2020-1337 to the latest flaw, and said it plans to fix the bug in its August monthly Windows patch update.

Bar and Hadar also found a denial-of-service (DoS) vulnerability in the Print Spooler, but Microsoft said this flaw is not serious enough to patch.

The escalation-of-privilege attack affects Windows versions from Windows 7 to Windows 10, while the DoS bug affects all versions from Windows 2000 up to current releases.

At the Black Hat USA 2020 security conference Bar and Hadar said the privilege escalation flaw could be used by an attacker who has physical access to a system to gain escalated privileges.

An attacker who had already established remote access through other means could also use the flaw to take control of a system and execute malicious code.

Persistence

The flaw could additionally be used to establish persistence on a system, Bar and Hadar said.

They said the bug can be exploited using a series of PowerShell commands, without the need for specialised tools.

They have released proof-of-concept exploit code for the DoS bug and plan to release it for the escalation-of-privilege attack after Microsoft patches it.

The pair have also developed proof-of-concept code for a mini filter kernel driver that they said can help mitigate privilege escalation flaws in real time.

The researchers are publishing their proof-of-concept code on GitHub.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

BT Identifies 2,000 Potential Cyberattacks Signals Every Second

Level of cyberthreats revealed, after BT says it spots 2,000 signals of potential cyberattacks every…

2 days ago

CMA Cites Higher Prices Post Vodafone, Three Merger, Demands Changes

The British competition regulator has provisionally found competition concerns over Vodafone’s planned merger with Three…

2 days ago

Microsoft Cuts Hundreds Of Gaming Staff

Post Activision - Microsoft Gaming confirms it will axe 650 employees, after thousands of job…

2 days ago

SpaceX Polaris Dawn Crew Carry Out First Commercial Spacewalk

Billionaire Jared Isaacman and SpaceX’s Sarah Gillis become first non-professional astronauts to carry out risky…

3 days ago

Government To Classify UK Data Centres As Critical Infrastructure

Data centres in the UK are to designated as Critical National Infrastructure (CNI), alongside energy…

3 days ago

Irish Watchdog Launches Inquiry Into Google AI Model

Google's protection of EU users' personal data when training its AI model, is under investigation…

3 days ago