In August 2010, Microsoft patched a previously unknown USB vulnerability that state-sponsored attackers had secretly exploited for years, first to infect targets of the “omnipotent” Equation Group and shortly thereafter to spread the virulent Stuxnet worm inside Iranian nuclear facilities. Now, almost five years later, security researchers have warned that the patch designated as MS10-046 failed to fully repair the weakness and that Windows PCs have remained susceptible to similar attacks the entire time. On Tuesday, the software maker released MS-15-020, a patch it says fixes the vulnerability.
As has been extensively documented since July 2010, the vulnerability has been repeatedly exploited in the wild since at least 2008 to surreptitiously infect PCs, even when they weren’t connected to the Internet, as was the case with computers inside Iran’s Natanz uranium enrichment facility infected by Stuxnet. Besides Stuxnet creators, at least one other group with ties to the NSA has been known to have exploited the so-called .LNK vulnerability: the highly advanced Equation Group hackers. While the exploits developed by those highly advanced state-sponsored attackers would no longer work on a PC that received the MS10-046 patch, there’s no way to know if these hacking groups revised their exploits to work around the update. It’s also unknown if other groups discovered and exploited the vulnerability.
“Whether this is being used in the wild over time remains to be seen,” said Brian Gorenc, the lead researcher with HP’s Zero Day Initiative, which first reported the vulnerability to Microsoft. “It’s hard to believe that somebody didn’t know about this bug prior to it being patched today.”