Duqu Installer Exploits Windows Kernel Zero Day

Trailrunner7 writes with an excerpt from Threatpost: "A newly discovered installer for the Duqu malware includes an exploit for a previously unknown vulnerability in the Windows kernel that allows remote code execution. Microsoft is working on a fix for the kernel vulnerability right now. The exact location and nature of the flaw isn't clear right now. The installer uses a Word document to exploit the vulnerability and then install the Duqu binaries."

Re:Word document for a remote exploit?

[The+MAZZTer]

It doesn't say remote vulnerability, it says remote code execution. It's probably a Word bug that allows execution of shellcode, which in turn exploits the LOCAL vulnerability in the Windows kernel for privilege elevation. "Remote" just refers to Duqu running code given to it over the network, I assume.

Re:There is already a fix out:

[SadButTrue]

wipe your disk and reinstall anything but Windows.

FTFY

Re:HOW the HELL

[Dr_Barnowl]

Everything, eventually, calls kernel APIs, or it wouldn't be able to DO anything. The kernel is the only way you're going to access the file system, the hardware, etc. It would be a pretty sorry-assed word processor that couldn't save files.

The selection of Word as an attack vector was probably influenced by a combination of...

• Word is probably the number 1 application that most professionals open after the browser.
• Word has the extra advantage that it's not received as much hardening as the browser.
• Office may use some of the reputed secret API calls that MS use to give it an advantage... these may be less hardened than public ones, or just less commonly exploited, thus they are a softer target.
• The document data structure handling code in Word is likely a total mess, as revealed in the MOO-XML specs, because it contains support for a lot of very old versions of Word, and is probably more vulnerable to exploits than other parts of Office.