Zero-day vulnerability in Windows

Improper input validation
CVE-2010-2568

The vulnerability was used by Stuxnet worm. According to Symantec the first exploitation of the vulnerability was discovered on 2008-02-13.

Known malware:

Bloodhound.Exploit.343
W32.Stuxnet
W32.Changeup.C
W32.Ramnit

Vulnerability details

Advisory: SB2010071603 - Remote code execution in Microsoft Windows

Vulnerable component: Windows

CVE-ID: CVE-2010-2568

CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C

CWE-ID: CWE-20 - Improper Input Validation

Description:

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to an error when parsing icons to .lnk and .pif files within Windows Explorer. A remote attacker can create a specially crafted icon file, trick the victim into clicking on it and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Note: this vulnerability is being actively exploited.

Known APT campaigns:

Iranian Nuclear Facilities breach

The breach was identified in summer 2010 by VirusBlokada antivirus company from Belarus, who was called to investigate computers in Iranian nuclear facilities.

Public Exploits:

Vulnerability Scanning SaaS

Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.