Stuxnet Vulnerabilities for the Non-Geek

Google translate is pretty cool, but they are missing a language. You can translate from Haitian Creole to Yiddish and from Galacian to Maltese, but you can’t translate from geekspeak to anything a regular person understands. The good part about this for me is that I have a job trying to do just that!

David Harley just posted a blog Win32k.sys: A Patched Stuxnet Exploit (https://www.welivesecurity.com/2010/10/15/win32k-sys-about-the-patched-stuxnet-exploit) that is pretty technical in nature, but has some parts that I think non-techies should also understand.

Let’s start with a couple of terms and definitions. You’ll often see words like zero day vulnerability and zero day threat. Different people have different definitions, but I will give you understandable and useful definitions. A zero day vulnerability is a problem with a program that nobody had known of before and is not fixed. A zero day threat is malicious software that is brand new and is not detected by security products.

David mentions a “Print Spooler attack”. Huh? It really is easy. When you go to print documents there is more information that the tiny brain of your printer can absorb, so the computer saves it and feeds the printer a little bit at a time. If there are 30 different documents waiting to be printed it would be a mess trying to figure out what page belongs to what document if the printer printed a page at a time from each one until all of the pages from all of the documents were printed. The print spooler is software that keeps track of all of this and sends the printer the information so that it prints all of the pages in order and one document at a time until everything is done in an orderly fashion. Unfortunately there was a problem with the Windows Print Spooler software and this allowed an attacker to effectively gain control of a computer without having to be there. Stuxnet used this to help spread throughout computer networks automatically.

David also talks about elevation of privilege (EoP) vulnerabilities. These are vulnerabilities that didn’t exist in DOS or Windows 95 because everything had full control, but in Windows XP, Vista, and Windows 7, there are different privileges for security purposes. Keeping users and programs from being allowed to modify critical files prevents a lot of bad programs from being able to infect a computer and prevents hackers from being able to take control of a computer. In the case of Stuxnet, there were two different zero day vulnerabilities that were used so that Stuxnet could get from normal user level permission all the way up to system level permission. With system level permission Stuxnet could do almost anything it wanted on the computer. Have you ever seen a message that says you don’t have permission to see something or do something? Stuxnet knew how to give itself permission. A flaw in the software that translates what you type on the keyboard to letting the computer know what that was allowed Stuxnet to have more control over the infected computer than it was supposed to be allowed.

For a normal user, all of the pictures of computer code don’t really matter. What is critical for you to understand is that if you do not apply the recent Microsoft security patches, anyone can hijack your computer using the print spooler attack and the privilege escalation attacks.

Stuxnet was unusual in that it used several new zero day vulnerabilities. How it used them is less important than making sure no other malicious software or website uses them against you going forward.

Randy Abrams
Director of Technical Education
ESET LLC