Software updates might strengthen cybersecurity, but they’re hardly the full picture when it comes to digital hygiene.
One of the most famous Windows vulnerabilities in history — a coding flaw that was originally discovered in 2010 and had a role in the elaborate U.S. intelligence mission to handicap Iran’s nuclear enrichment program — was the most widely exploited software bug in both 2015 and 2016, according to new research by antivirus provider Kaspersky Lab, even though Microsoft rolled out a patch in August 2010.
“The life of an exploit doesn’t end with the release of a security patch designed to fix the vulnerability being exploited,” Kaspersky Lab researchers wrote in a blog post Thursday sourcing proprietary and open-source intelligence reports. “Once made public, a vulnerability can become even more dangerous: grabbed and repurposed by big threat actors within hours.”
Kaspersky Lab found that 27 percent of its user base had at one point encountered the “CVE-2010-2568” Microsoft exploit between 2015 and 2016. The Moscow-based cybersecurity firm qualified its finding by framing the results as the percentage “of users who encountered a particular exploit threat out of all those who encountered any malware categorized as an exploit.”
(The current Wikipedia definition of an exploit is as good as any: “a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur in computer software, hardware or something electronic.”)
Indexed as CVE-2010-2568 by Microsoft, the exploit targets a code execution vulnerability that can be triggered by plugging a malware-laden USB stick into a computer that’s running an unpatched older version of Microsoft Windows, including Vista and XP.
More specifically, the bug allows for an attacker to hide malicious code inside .LNK files even when a machine’s auto-run feature is turned off — LNK files are used by the operating system to display graphical icons whenever an external hard drive is inserted into a computer’s USB port.
CVE-2010-2568 remains prominent on the list of exploited bugs in part because it allows a computer virus to spread without an internet connection. Attacks that leverage the vulnerability require little interaction on the part of the hacker beyond an original physical point of access. If an infected computer resides inside a shared network then the exploit will quickly spread to all of the neighboring, vulnerable machines.
First reported by the New York Times’ David Sanger, CVE-2010-2568 links back to a secretive and powerful Stuxnet cyber-weapon developed by the U.S. to disrupt electronic hardware inside Iranian enrichment facilities. The contagious computer worm virus quickly spread outside of Iran and it has since been recycled and re-weaponized by various hackers.
Security researchers believe that the Equation Group, an elite hacking team linked to the NSA, was the first to exploit the .LNK vulnerability in 2008. In that case, the group used a combination of multiple zero-day exploits and the .LNK vulnerability to spread a worm dubbed Fanny.