Posted by Robert Vamosi on May 9, 2016
In a recent report, Microsoft found that among the exploit-related malware families it detected during 2015 was a six-year vulnerability that was well-publicized.
Back in 2010, security researchers traced a series of hardware-specific infections to a piece of malware dubbed Stuxnet. This malware lay dormant on Windows machines unless there was also access to a SCADA system running Siemens Simatic WinCC and PCS 7 SCADA system. In particular, the targets most affected most by Stuxnet were centrifuges manufactured by Siemens and used in Iran to enrich uranium.
The compromised machines had, among other things, a vulnerability that affected how Windows handled a shortcut file using either .LNK or .PIF. CVE-2010-2568 is an input validation error (CWE 20) that leverages CVE-2010-2772 in Siemens WinCC SCADA systems. Microsoft issued MS10-046 to address this issue.
In its Security Intelligence Report, Microsoft points out that “real-time security products can detect and block attempts to exploit known vulnerabilities whether the computer is affected by the vulnerabilities or not. For example, the CVE-2010-2568 CplLnk vulnerability has never affected Windows 8, but if a Windows 8 user receives a malicious file that attempts to exploit that vulnerability, Windows Defender is designed to detect and block it anyway.”
Yet, in 2015, CVE-2010-2568 remained one of the most targeted exploits on the internet.
Joining the Stuxnet vulnerability in the top ten were exploit kits, which allow novices to create their own malware leveraging known vulnerabilities. Among the most popular exploit kits, Angler took top spot followed by Sweet Orange. For example, the Angler exploit kit targets compromised runtimes and zero-day holes in Microsoft Silverlight, Adobe Flash, and Oracle’s Java with the Internet Explorer browser included.
What’s unclear form the report is why a six-year old vulnerability remains so well exploited. It is possible these are Internet of Things (IoT) devices that are running earlier versions of Windows (versions before Windows 8 are vulnerable) and these devices have not been updated and might not be able to be updated.