Zero-day vulnerability in Windows

The vulnerability was used by Stuxnet worm. According to Symantec the first exploitation of the vulnerability was discovered on 2008-02-13.

Advisory: SB2010071603 - Remote code execution in Microsoft Windows

Vulnerable component: Windows

CVE-ID: CVE-2010-2568

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-20 - Improper input validation

Description:

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to an error when parsing icons to .lnk and .pif files within Windows Explorer. A remote attacker can create a specially crafted icon file, trick the victim into clicking on it and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability results in compromise of vulnerable system.

Note: this vulnerability is being actively exploited.

Iranian Nuclear Facilities breach

The breach was identified in summer 2010 by VirusBlokada antivirus company from Belarus, who was called to investigate computers in Iranian nuclear facilities.

- Microsoft Windows - Automatic LNK Shortcut File Code Execution [Exploit-DB]

- Microsoft Windows - Shell LNK Code Execution (MS10-046) (Metasploit) [Exploit-DB]

External links:

https://technet.microsoft.com/library/security/ms10-046
https://technet.microsoft.com/library/security/2286198
https://www.f-secure.com/weblog/archives/00001986.html
https://www.scmagazine.com/lnkexploitcve-2010-2568/article/558054/
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23801
http://www.welivesecurity.com/2010/07/22/a-few-facts-about-win32stuxnet-cve-2010-2568/
http://blogs.quickheal.com/stuxnet-cve-2010-2568-misconceptions-and-facts/
http://www.welivesecurity.com/2010/07/22/a-few-facts-about-win32stuxnet-cve-2010-2568/
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf