Microsoft plugs new hole used by Stuxnet

Microsoft closes a second propagation method used by the worm in its latest batch of Patch Tuesday monthly security bulletins. The Windows hole is rated "critical" for XP users.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

Microsoft on Tuesday issued patches for 11 vulnerabilities in Windows and Office, including a hole being used by the Stuxnet worm to infect PCs.

The security bulletin MS10-061 addresses a vulnerability in the print spooler service of Windows that could allow an attacker to take control of a computer by sending a specially crafted print request to a vulnerable system where the print spooler service is exposed without authentication, according to the security advisory.

The hole, discovered by Kaspersky Lab and later Symantec, is being exploited by Stuxnet and is rated "critical" for Windows XP but only "important" for the other supported versions of Windows.

"If this remained unpatched, it could turn into another big worm, like Blaster," said Kurt Baumgartner, senior security researcher at Kaspersky.

Microsoft issued an emergency fix in early August for another critical hole in Windows that was being used by Stuxnet related to the way Windows handles shortcut files implemented with the .lnk extension. The latest patch fixes a secondary propagation method used by the worm, which targets industrial control systems but can spread through Windows on any network.

Microsoft also is working on fixes for two elevation-of-privilege vulnerabilities targeted by Stuxnet that could allow an attacker to gain full control of an infected system, if the attacker already has permission to run code on the system or has otherwise compromised it, according to a Microsoft TechNet blog post. The fixes will come at a later undetermined date.

The Patch Tuesday release also includes a fix for a critical vulnerability in the MPEG-4 codec that affects all supported versions of Windows. The hole could allow an attacker to take control of a computer, if the user views malicious streaming-video content.

This could be used in so-called drive-by attacks on Web surfers, said Andrew Storms, director of security operations at nCircle. "Halo fans watching user-posted content (and anyone else watching AVI movies) should be extra careful over the next week or so; otherwise, your computer could get 'shot up' with malware," he said.

There are two other critical bulletins, fixing holes in Windows' Unicode scripts processor and Microsoft Outlook. The remaining five "important" bulletins relate to vulnerabilities in Microsoft Internet Information Services, Remote Procedure Call, WordPad Text Converters, Local Security Authority Subsystem Service, and Windows Client/Server Runtime Subsystem.

There were no critical bulletins for Windows 7 or Windows Server 2008 R2 in this Patch Tuesday batch, and none of the vulnerabilities affect Office 2010, Microsoft noted.

Meanwhile, Microsoft said it is releasing two security advisories this month. One is related to a vulnerability affecting Outlook Web Access that may affect Microsoft Exchange customers, and the other is an updated advisory enabling Outlook Express and Windows Mail to opt in to Extended Protection for Authentication.

This Print Spooler and MPEG-4 bulletins are at the top of the priority list for patching in September's Patch Tuesday roundup.
This Print Spooler and MPEG-4 bulletins are at the top of the priority list for patching in September's Patch Tuesday roundup. Microsoft

Updated 1:12 p.m. PDT September 15 to correct that total number of vulnerabilities fixed was 11, not 13 as initially reported by Microsoft on Tuesday and last week.