The vulnerability that allowed the infamous Stuxnet, Flame and Gauss malware campaigns (CVE-2010-2568) is still being exploited today, despite the flaw having been patched in autumn 2010 by Microsoft. Kaspersky Lab detection systems are still registering tens of millions of detections of CVE-2010-2568 exploits. Startlingly, more than 50 million detections on more than 19 million computers worldwide were recorded in the past eight months.
The lack of patching on the part of IT administrators is surprising given that the vulnerability has quite an infamous history. It’s an error in processing tags in Windows OS, which enables the download of the random dynamic library without the user's awareness. The vulnerability affects Windows XP, Vista and Windows 7, as well as Windows Server 2003 and 2008.
The first malware exploiting this vulnerability was registered in July 2010: the worm Sality, which generates vulnerable tags and distributes them through the LAN. If a user opens a folder containing one of these vulnerable tags, a malicious program immediately begins to launch.
The summer of 2010 then saw the appearance of Stuxnet, a computer worm which had been designed specifically (likely by the US and Israel) to sabotage the uranium enrichment process at several factories in Iran. Subsequently, the state-sponsored Flame and Gauss spyware made use of the security hole.
Digging a little deeper into the statistics, it turns out that most of the unpatched systems are running Windows XP, the outdated OS.
“The lion's share of detections (64.19%) registered over the last eight months involved XP and only 27.99% were on Windows 7,” Kaspersky said in a report detailing the persistence of the open flaw.
“Kaspersky Lab products protecting Windows Server 2003 and 2008 also regularly report detection of these exploits (3.99% and 1.58% detections respectively). The large number of detections coming from XP users suggests that most of these computers either don't have an installed security solution or use a vulnerable version of Windows - or both. The detections coming from server systems prove the presence of malicious tags exploiting the CVE-2010-2568 vulnerability on network folders with open access.”
The geographical distribution of all registered CVE-2010-2568 detections is also interesting. Between Nov. 2013 and June 2014, Vietnam (42.45%), India (11.7%) and Algeria (5.52%) are among the leaders for the number of vulnerability detections. And, the outdated XP OS is also widely used in all these countries.
“It's not surprising that CVE-2010-2568 exploits are still popular in some of these countries,” Kaspersky researchers noted. “So many users of outdated versions of Windows mean these exploits are effective even though almost four years have passed since the disclosure and patching of the vulnerability.”
As Kaspersky pointed out, using an outdated version of an operating system is fraught with the risk of cyber-attacks involving exploits, special programs that target vulnerabilities in legitimate software to infect a computer with other dangerous malware. Earlier this year, nearly 13 years after its launch, Microsoft stopped pushing out any security fixes for Windows XP.
“Although exploits for Windows and other popular Microsoft products are not widespread compared with, for instance, exploits for Java vulnerabilities, they constitute a great threat and examples of exploiting Windows and Microsoft Office vulnerabilities in complex cyber-espionage campaigns is further proof of this,” Kaspersky warned. “When it comes to Windows and other Microsoft products vulnerabilities, the attackers are not willing to keep up with the times and create exploits for relatively new vulnerabilities. This might happen because the attackers are quite satisfied with the old vulnerabilities.”
The advice, of course, is to migrate from Windows XP as soon as possible, and to keep software patched regularly.