Slashdot Mirror

← Back to Stories (view on slashdot.org)

Duqu Installer Exploits Windows Kernel Zero Day

Posted by Unknown on from the windows-industrial-control-edition dept.

Trailrunner7 writes with an excerpt from Threatpost: "A newly discovered installer for the Duqu malware includes an exploit for a previously unknown vulnerability in the Windows kernel that allows remote code execution. Microsoft is working on a fix for the kernel vulnerability right now. The exact location and nature of the flaw isn't clear right now. The installer uses a Word document to exploit the vulnerability and then install the Duqu binaries."

4 of 164 comments (clear)

  1. Re:Word document for a remote exploit? by The+MAZZTer · · Score: 4, Informative

    It doesn't say remote vulnerability, it says remote code execution. It's probably a Word bug that allows execution of shellcode, which in turn exploits the LOCAL vulnerability in the Windows kernel for privilege elevation. "Remote" just refers to Duqu running code given to it over the network, I assume.

  2. Re:And? by X0563511 · · Score: 3, Informative

    You understand what a zero-day is right? Scanning the attachment would have done exactly nothing useful, and have given you a false sense of security on top of it!

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  3. Re:There is already a fix out: by SadButTrue · · Score: 4, Informative

    wipe your disk and reinstall anything but Windows.

    FTFY

    --
    grape - the GNU free, open source rape
  4. Re:HOW the HELL by Dr_Barnowl · · Score: 5, Informative

    Everything, eventually, calls kernel APIs, or it wouldn't be able to DO anything. The kernel is the only way you're going to access the file system, the hardware, etc. It would be a pretty sorry-assed word processor that couldn't save files.

    The selection of Word as an attack vector was probably influenced by a combination of...

    • Word is probably the number 1 application that most professionals open after the browser.
    • Word has the extra advantage that it's not received as much hardening as the browser.
    • Office may use some of the reputed secret API calls that MS use to give it an advantage... these may be less hardened than public ones, or just less commonly exploited, thus they are a softer target.
    • The document data structure handling code in Word is likely a total mess, as revealed in the MOO-XML specs, because it contains support for a lot of very old versions of Word, and is probably more vulnerable to exploits than other parts of Office.