Microsoft incorrectly fixed the vulnerability that the Stuxnet worm used
Zero Day Initiative (ZDI) security community experts published information on a new critical Remote Code Execution Vulnerability in Windows (CVE-2015-0096), which Microsoft closed with an update of MS15-020 . A feature of this vulnerability is that it appeared back in 2010, when Microsoft released an update to fix the infamous CVE-2010-2568 vulnerability, which allowed to execute arbitrary code in the system using a specially crafted .LNK file (shortcut file).
This vulnerability was used by the Stuxnet worm to spread and, as it has now become known, over the past five years after the release of the fix, users were still at risk of possible exploitation. Files of the .LNK type allow you to specify in your body a link to the executable PE file from which Windows can take an icon to display it in the shell (Explorer).
')
All versions of Windows, including the newest Windows 8.1 and Windows 10 TP, are vulnerable to CVE-2015-0096 ( Planting Remote Code Execution Vulnerability DLL ). As can be seen from the description of this vulnerability, which was made by Microsoft itself, the mechanism of its operation coincides with the vulnerability of 2010 (CVE-2010-2568), an attacker can place a malicious .LNK file on a removable drive, and in the case of the included autorun mechanism, execute the malicious program in system. The same can apply to other file sources, including network location, malicious website.
The MS15-020 update is addressed to the Shell32.dll library ( KB3039066 ).
A full description of the vulnerability can be found in the detailed ZDI study .
This vulnerability was used by the Stuxnet worm to spread and, as it has now become known, over the past five years after the release of the fix, users were still at risk of possible exploitation. Files of the .LNK type allow you to specify in your body a link to the executable PE file from which Windows can take an icon to display it in the shell (Explorer).
')
It appears that there is a vulnerability. If you’re browsing to a working directory, such as via cmd.exe or powershell. exe, do NOT trigger the exploit). Additionally, the vulnerability could be exploited through USB, where AutoPlay has been enabled.
All versions of Windows, including the newest Windows 8.1 and Windows 10 TP, are vulnerable to CVE-2015-0096 ( Planting Remote Code Execution Vulnerability DLL ). As can be seen from the description of this vulnerability, which was made by Microsoft itself, the mechanism of its operation coincides with the vulnerability of 2010 (CVE-2010-2568), an attacker can place a malicious .LNK file on a removable drive, and in the case of the included autorun mechanism, execute the malicious program in system. The same can apply to other file sources, including network location, malicious website.
A remote code execution vulnerability exists when Microsoft Windows improperly handles the loading of DLL files. An attacker who successfully exploited this system. An attacker could then install programs; view, change, or delete data; create new accounts with full user rights. It could be less impacted than users.
The MS15-020 update is addressed to the Shell32.dll library ( KB3039066 ).
A full description of the vulnerability can be found in the detailed ZDI study .
Source: https://habr.com/ru/post/252711/
All Articles