September 14, 2010, 10:01 PM — Microsoft Tuesday patched a critical Windows XP vulnerability that aided attacks based on the Stuxnet worm by letting attackers gain remote access through the operating system's print spooler service.
But there are still two vulnerabilities related to Stuxnet that Microsoft has not patched, according to Kaspersky Lab.
The print spooler security bulletin is one of nine issued in Microsoft's monthly Patch Tuesday, and one of four rated as critical.
"The most dangerous vulnerability is the Print Spooler service impersonation issue," Symantec Security Response official Joshua Talbot writes in a statement regarding the Microsoft security updates. "This vulnerability has been identified by Symantec as one of the attack vectors built into the notorious Stuxnet threat, which targets industrial control systems. This is evidence the vulnerability is already being exploited in the wild."
The Stuxnet worm was discovered in July and was designed to steal industrial secrets, claiming Siemens as one of its publicly disclosed victims.
Microsoft patched a vulnerability related to Stuxnet last month but the print spooler vulnerability represents a new attack vector for the worm. It was reported to Microsoft by Kaspersky Lab and Symantec.
Kaspersky Lab says that it has "identified yet another zero-day vulnerability in Stuxnet's code, this time an Elevation of Privilege (EoP) vulnerability. The worm uses this to get complete control over the affected system. A second EoP vulnerability was identified by Microsoft personnel, and both vulnerabilities will be fixed in a security bulletin in the near future."
That means there are four vulnerabilities related to Stuxnet, and only two have been patched.
"The fact that Stuxnet uses four previously unidentified vulnerabilities makes the worm a real standout among malware," Kaspersky writes. "It's the first time we've come across a threat that contains so many 'surprises'."
The print spooler error fixed Tuesday affects a wide range of software including Windows 7, Windows Vista, Windows Server 2003, and Windows Server 2008. But it was only rated as "critical" for Windows XP.