The vulnerability which Stuxnet exploited remains unpatched on two-thirds of PCs running Windows XP.
According to research by Kaspersky Lab, despite the CVE-2010-2568 vulnerability being patched in June 2010, over a period of eight months between November 2013 and June 2014, its detection systems are still registering tens of millions of detections of CVE-2010-2568 exploits.
The majority of detections (64.19 per cent) were on XP, and 27.99 per cent were on Windows 7. “The large number of detections coming from XP users suggests that most of these computers either don’t have an installed security solution or use a vulnerable version of Windows – or both,” said Yuro Ilyin, Kaspersky business editor.
“The detections coming from server systems prove the presence of malicious tags exploiting the CVE-2010-2568 vulnerability on network folders with open access.”
The CVE-2010-2568 vulnerability is an error in processing tags in Windows OS, enabling the download of the random dynamic library without the user’s awareness. The vulnerability affected Windows XP, Vista, and Windows 7 as well as Windows Server 2003 and 2008. After Sality and Stuxnet used this vulnerability, it was also used by the Flame and Gauss spyware.
Asked why any business would leave such a critical flaw unpatched for so long, TK Keanini, CTO of Lancope, said that there are many answers to this question, but in the end they fall into two categories: those that know they have the flaw present and for some reason cannot remediate without breaking something, and those that don’t know the vulnerability is present on their network. “In either case, the cost of cleanup after an exploitation far outweigh the cost of discovery and patching,” he said.
Mikko Hypponen, chief research officer of F-Secure, who last week said that he was surprised that there were so few copycats at the Black Hat conference, told IT Security Guru: “Windows XP is the gift that keeps on giving. Vulnerabilities like CVE-2010-2568 will never go away as long as there are users who never update their systems.
“This case is also a good example on how zero day exploits developed by Governments eventually end up in the hands of criminals and are used to infect normal end users with everyday malware.”
Asked why there has not been more exploits of the flaw, Keanini said: “Stuxnet has many variants in the wild today and like all effective exploitation, it will continue to evolve until it is rendered ineffective. Given how highly connected we are and continue to be the exploitation of one’s system or sensitive data has an effect on other systems. We no longer can assess the impact in isolation.”
Kaspersky’s main findings were that 16.37 per cent of Kaspersky Lab customers used computers running Windows XP, while the latest release Windows 8.1 is most widespread in the USA, Canada, Germany and the UK. Windows XP system is most widespread in Vietnam, China, India, Algeria and Spain.
Tim Erlin, director of product management at Tripwire, said: “Kaspersky is only seeing part of the picture here. As a malware detection product, they have recorded and measured ‘detections of exploits’ rather than the vulnerability itself. They can infer from the exploit activity that th
ey vulnerability is present, but there may be many more systems that are vulnerable, but not yet being exploited.
“It’s possible that the geographical distribution of the exploit activity measured by Kaspersky correlates to the relative density of the available attack surface. In other words, Vietnam, India and Indonesia have more vulnerable systems and therefore more exploits detected. It’s also possible that other factors contribute to the concentration, such as ability to respond and clean-up incidents.”