Why Stuxnet Affects All Windows Systems

If you have been reading the various advisories on the Stuxnet malware, you would be forgiven for thinking that only computers running relatively new versions of the Windows systems are vulnerable to this worm. For example, the Siemens Stuxnet advisory states; “The virus affects operating systems from XP and higher.” Does that mean if I am running Windows 2000 servers I am immune?

Unfortunately, the answer is NO! Based on our testing, all versions of Windows are vulnerable to Stuxnet, regardless of age.

So why the confusion? Well not unreasonablely from an IT point of view, Microsoft validates vulnerabilities against all currently supported versions of their operating system. What the Microsoft Security Bulletin MS10-046 states is "The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected." The key phrase that gets missed by most people is "editions are either past their support life cycle".

Well guess what? Windows-NT or 2000 are well past their support life cycle, so Microsoft isn't saying they are or are not vulnerable. But if you analyze these old versions, you will see that the code in Windows Explorer that handles icon display (i.e. where the vulnerability is) has not changed all that much over the years. The end result - they are just as vulnerable.

The bad news is there are no patches for these unsupported versions of Windows and I don't expect any soon. So what is the poor SCADA engineer to do? I lay out a few work arounds in our White Paper: Siemens PCS7 WinCC Malware, the simplest of which is to create a USB key checking system before any USB keys are used on the plant floor.

I have also been looking at other measures which I will discuss in my next blog. In the mean time, let me know if you have any ideas or questions on how to keep Stuxnet out of your control systems.