The vulnerability is reminiscent of a critical flaw exploited around 2008 by an NSA-tied hacking group dubbed Equation Group and later by the creators of the Stuxnet computer worm that disrupted Iran’s nuclear program. The vulnerability—which resided in functions that process so-called .LNK files Windows uses to display icons when a USB stick is plugged in—allowed the attackers to unleash a powerful computer worm that spread from computer to computer each time they interacted with a malicious drive.
When Microsoft patched the .LNK vulnerability in 2010 with MS10-046, company officials classified the vulnerability as “critical,” the company’s highest severity rating. The classification seemed appropriate, considering the success of the .LNK exploits in infecting large numbers of air-gapped computers. For reasons that aren’t clear, Tuesday’s vulnerability has been rated “important,” Microsoft’s second-highest severity rating. Update: As Virus Bulletin researcher Martijn Grooten pointed out, the .LNK vulnerability was remotely exploitable, allowing it to infect millions of people. By contrast, the bug patched Tuesday appears to require a USB stick, a requirement that would greatly limit the scale of attacks. That’s the likely reason for the lower severity rating.
This vulnerability exists in just about every version of Windows capable of mounting USB drives.
The Isreali security organization, Morphisec is presently working on making a Windows version that’s essentially not possible to hack, thus making it the appropriate operating system for military operations, which includes controlling of airlines and missiles.
Dudu Mimran, the co-founder of the company, in a statement to Business Insider, expressed this new OS version as the Windows that “Microsoft should be doing.” He further went to explain that though this new version OS was actually designed for government use, it can also be used by any company or undertaking who wants to ensure that hack is impossible.
The founder says that since the operating system randomizes all memory, it would not allow the hacker to target the memory of the computer and jeopardize the data stored on the drives, thus, blocking any zero-day attack.
Currently, the operating system is not available to the public. Mimra, who is also the CTO of Deutsche Telekom Innovation Laboratories in Israel and the Chief Security Officer of Cyber Security Research Center at Ben-Gurion University, says that such project has huge potential as the internal testing proved that 100 percent of the attacks could be blocked.
The company has until now raised $1.5 million from Israeli investors considering that developing such an operating system would require such finance to complete the work and make the platform available for use.
I may believe it when I see it but will likely still doubt the veracity of such a claim. It is hard to believe in 2015 that anything computing device could ever be considered unhackable, especially a closed-source operating system developed by Microsoft but fixed by a third-party.
In a statement, the Navy said it has a plan in place to upgrade its systems to a newer version of Windows. It expects to complete its upgrades by July 12, 2016.
But there’s a chance that it could take even longer. That’s why theNavy’s contract with Microsoft contains options to extend the deal through June 8, 2017. That would raise the amount the Navy will pay for Windows XP support to nearly $31 million.
“The Navy relies on a number of legacy applications and programs that are reliant on legacy Windows products,” said Steven Davis, spokesman for Space and Naval Warfare Systems Command. “Until those applications and programs are modernized or phased out, this continuity of services is required to maintain operational effectiveness.”
The most modern military in history continues to use Windows XP, an operating system unveiled in 2001 and one that never really took security seriously.