LNKing the Past to the Present - The Curious Case of CVE-2010-2568 and CVE-2015-0096

Presented at ToorCon San Diego 17 (2015), Oct. 25, 2015, 4:30 p.m. (20 minutes)

In mid-2009, Stuxnet was released against the Iranian nuclear program. Attributed to the United States and Israel, Stuxnet used multiple zero-day attacks against Windows to attack the Iranian centrifuges. It was discovered in June of 2010, and reported to Microsoft. The initial infection vector was a USB drive taking advantage of a vulnerability in the Windows operating system that allowed simply browsing to a directory to run arbitrary code. The directory contained a specially crafted .LNK file designed to trigger the weakness and execute code of the attacker’s choosing on the target system. In August of 2010, Microsoft released Security Bulletin MS10-046 along with a patch to shore up the weakness. The patch failed. And for more than four years, all Windows systems were vulnerable to exactly the same attack that Stuxnet used for initial deployment. In January of 2015, researcher Michael Heerklotz approached the Zero Day Initiative with a report that he had found a way to bypass the MS10-046 patch. In this paper, we look at where the patch failed, how an attacker could get around it, and how the subsequent MS15-020 update closed the vulnerability.


  • Dave Weinstein
    Dave Weinstein is a security researcher with Hewlett-Packard Security Research (HPSR). In this role, Weinstein analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero-Day Initiative (ZDI) program, which represents the world’s largest vendor-agnostic bug bounty program. His own research focuses on tool development and Windows kernel vulnerabilities. A regular speaker at technology conferences since the late 1980s, he has presented security research at CanSecWest, ToorCon, and HushCon. Prior to joining HP, Weinstein worked as software developer for the Microsoft Trustworthy Computing group, where he developed the !exploitable Windows debugging extension that provides automated crash analysis and security risk assessment. Earlier, he spent more than a decade as a professional game developer, including the development of the core networking technology and networking gameplay in the original Rainbow Six.

Similar Presentations: