News Stay informed about the latest enterprise technology news and product updates.

Microsoft addresses Stuxnet Trojan-related printing flaw

A critical printer sharing vulnerability is related to the Stuxnet malware, which was discovered targeting industrial control systems and other enterprises.

Microsoft, Tuesday, issued nine security bulletins, four rated critical, repairing a critical print sharing vulnerability being actively targeted in the wild by the Stuxnet Trojan outbreak in July.

It's kind of a potpourri of patches this month and it depends on how your systems are set up to determine the severity of them.

Jason Miller,
data and security team managerShavlik Technologies

In all, Microsoft repaired 11 vulnerabilities across its product line in its monthly release of security patches.

The software giant repaired a critical vulnerability in the Print Spooler service. Microsoft said the vulnerability can be exploited remotely to gain system level access and execute malicious code in Windows' core directory where operating system files are stored. System and configuration files in the core directory often automatically execute.

Patching experts said the Print Spooler vulnerability is dangerous because attackers are already targeting it in the wild. Symantec's Joshua Talbot said the vulnerability was identified as one of the attack vectors built into the notorious Stuxnet threat, which targets industrial control systems.

The vulnerability affects all Windows systems, but Talbot said Windows XP is the most vulnerable because it has a guest account with anonymous access enabled by default. Other security experts downplayed the threat posed by the flaw, because most enterprises use print servers. But home users, small businesses or a rogue employee could set up a shared printer using the Print Spooler service.

"This vulnerability allows for a great deal of stealth since no user interaction is required for an attacker to exploit it," Talbot said in a statement. "An attacker has to be able to send a 'print to file' command as well as other malicious instructions to the machine."

Microsoft issued an emergency patch July 30, repairing a zero-day vulnerability in the Windows Shell that was being used by Stuxnet. In addition, Jerry Bryant, group manager of Microsoft response communications said engineers are developing two other fixes related to Stuxnet.

Security experts said that Microsoft issued a number of repairs Tuesday fixing vulnerabilities that at first glance appear to be serious flaws, but only exist in specific configurations that are not enabled by default. Jason Miller, data and security team manager at Saint Paul, Minn.-based patch management firm Shavlik Technologies said that while most IT administrators should know their company's server configurations, it may be difficult to determine if an employee has brought in a computer and has enabled the Print Spooler service on their machine.

"It's kind of a potpourri of patches this month and it depends on how your systems are set up to determine the severity of them," Miller said.

Microsoft also repaired a critical media handling flaw in the MPEG-4 codec that could be remotely exploited by an attacker to gain access to a victim's machine. The vulnerability affects Windows XP, Windows Vista, Windows Server 2003 and 2008. To exploit the flaw, an attacker would need to get a user to open a malicious media file or receive streaming content from a website or application that delivers Web content, Microsoft said.

Microsoft issued an update repairing a critical flaw in Windows' Unicode Scripts Processor, which supports scripts that require special processing to show and edit. The flaw could enable driveby attacks, since the user would only have to view a Web page with a malicious document or an application that supports embedded OpenType fonts.

"It does not require anything from you besides visiting that site," said Wolfgang Kandek, chief technology officer at Redwood Shores, Calif.-based Qualys Inc. "It's not a very difficult attack to execute."

Microsoft also blocked a vulnerability in Microsoft Outlook. The flaw is rated critical for users of Outlook 2002 and important for users of Outlook 2003 and 2007. For an attacker to exploit the flaw, Outlook must be connected to an Exchange server supporting Online Mode. It could enable an attacker to gain the same user rights as the local user.

In addition, five Microsoft bulletins were rated Important. Qualys' Amol Sarwate, manager of the vendor's vulnerability research lab, said IT admins should look carefully at the elevation of privilege vulnerability in Active Directory. The flaw affects all versions of Windows. While an attacker must be authenticated to pull the attack off, it is possible to successfully exploit the flaw by exploiting an authenticated machine connected to Active Directory, he said.

Dig Deeper on Microsoft Windows security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.