← Back to exposed-win-zero-days
Stuxnet Zero-Days
Windows Zero-Day Exploits Used in Stuxnet
Overview
Stuxnet is one of the most sophisticated cyber weapons ever discovered, famously targeting Iran's nuclear facilities in 2010. It exploited four previously unknown (zero-day) vulnerabilities in Microsoft Windows to gain control of industrial systems and cause physical damage to centrifuges.
Stuxnet was designed to spread via USB drives and local networks, and its zero-days allowed it to evade detection and execute malicious commands on PLCs (Programmable Logic Controllers).
Zero-Day Vulnerabilities Used by Stuxnet
- CVE-2010-2729: Windows Shell LNK/PIF file vulnerability (used for USB propagation)
- CVE-2010-2743: Windows Print Spooler vulnerability (used for privilege escalation)
- CVE-2010-2568: Windows Server Service vulnerability (used for remote code execution)
- CVE-2010-2772: Windows Task Scheduler vulnerability (used for privilege escalation)
Technical Details
- Vulnerability Types: Remote Code Execution, Privilege Escalation
- Affected Components: Windows Shell, Print Spooler, Server Service, Task Scheduler
- Attack Vector: USB, Network
- Impact: Allowed Stuxnet to spread, escalate privileges, and execute malicious code on industrial control systems
- Exploitation: Used in targeted attacks on Iran's nuclear facilities
- Patch Date: 2010 (after Stuxnet was discovered)
Exploitation
Stuxnet's zero-days were used in a multi-stage attack:
- Infect systems via USB drives using the LNK/PIF vulnerability.
- Escalate privileges using the Print Spooler and Task Scheduler vulnerabilities.
- Spread across the network using the Server Service vulnerability.
- Deploy malicious code to PLCs, causing physical damage to centrifuges.
Stuxnet's use of zero-days made it extremely difficult to detect and mitigate, and it set a precedent for state-sponsored cyber warfare.
Affected Systems
- Windows XP
- Windows Vista
- Windows 7
- Windows Server 2003
- Windows Server 2008
Patch Information
Microsoft released patches for all four zero-day vulnerabilities in 2010 after Stuxnet was discovered. Users and administrators were urged to apply the updates immediately to prevent further exploitation.
For systems that could not be patched, Microsoft recommended disabling vulnerable services and monitoring for suspicious activity.
Mitigation
- Apply all relevant security updates from Microsoft.
- Disable AutoRun for USB drives.
- Restrict access to industrial control systems.
- Monitor for unusual network and system activity.