The Stuxnet worm was an exploit that was used against a nuclear facility in Iran back in 2010, in part by taking advantage of a vulnerability in Windows. The vulnerability that enabled Stuxnet was identified as CVE-2010-2568, which was thought to have been patched by Microsoft in October 2010. More than four years later, Hewlett-Packard’s (HP) Zero Day Initiative (ZDI) has discovered that the CVE-2010-2568 fix was not, in fact, complete and the underlying vulnerability has remained exploitable the whole time.
“CVE-2015-0096 is a vulnerability in the Microsoft Windows operating system that allows remote attackers to execute arbitrary code by having the target simply browse to a directory containing a malicious .LNK file,” Brian Gorenc manager of vulnerability research for HP Security Research,”The patch for CVE-2010-2568 did not completely address the issues present in the Windows Shell, and the weaknesses left are now being resolved five years later as CVE-2015-0096.”
For it’s part Microsoft sees the issue in slightly different light. In an email statement Microsoft stated that:
“This is a new vulnerability that required a new security update. Microsoft released a comprehensive security fix in 2010 to address the vulnerability the Stuxnet virus exploited. As technology is always changing, so are the tactics and techniques of cybercriminals. It is an unfortunate reality of today’s interconnected world that some people and organizations seek to disrupt technology and steal information for nefarious purposes. We will continue to stand guard against any attempts to exploit our products and do what is necessary to help further protect our customers.”–