preview

Computer Science Student Michael Heerklot

Better Essays
Incident 1: Stuxnet .LNK Vulnerability 1.1 Background Patched Windows machines remained vulnerable to Stuxnet .LNK exploit since 2010. In early January 2015, Michael Heerklotz approached the Zero Day Initiative with details of a vulnerability in the Microsoft Windows operating system and it was assigned CVE-2015-0096. Stuxnet .LNK Vulnerability was discovered by a German computer science student Michael Heerklot, who through interest in the discovery and impact of Stuxnet exploit, decided to investigate Stuxnet attack, particularly the hack of the Natanz uranium enrichment facility where the .LNK vulnerability in windows shell was exploited in 2010 [1]. He examined the .LNK vulnerability, which was presumably patched by Microsoft, to…show more content…
The issue is that in Windows, icons are executed from modules (either executables or dynamic link-libraries). In fact, .CPL files are actually DLLs. Because an attacker could define which executable module would be loaded, an attacker could use the .LNK file to execute arbitrary code inside of the Windows shell and do anything the current user could” [2]. The first patch released August in 2010, Microsoft put in an explicit whitelist check with MS10-046. Once installed, it intended to ensure that only approved .CPL files should have been used to load non-standard icons for links. This patch failed and for more than four years, all windows files have been vulnerable to exactly the same attack that stuxnet attackers used in initial exploit. In light of its recent rediscovery, it is unknown if other groups discovered and exploited the vulnerability in the wild [2]. The section below explores the section of code that was patched in the initial patch in 2010 and how the vulnerability remained vulnerable. The definition of the function shown below is taken from a function called CControlPanelFolder::GetUiObjectOf() in Shell32.dll. Shown in the diagram below is the first block that was changed after zero day vulnerability was discovered. In the event below a whitelist check was put in place. The definition calls for a custom icon, with the iconID of 0, which is checked against a
    Get Access