Slashdot Mirror

← Back to Stories (view on slashdot.org)

Duqu Installer Exploits Windows Kernel Zero Day

Posted by Unknown on from the windows-industrial-control-edition dept.

Trailrunner7 writes with an excerpt from Threatpost: "A newly discovered installer for the Duqu malware includes an exploit for a previously unknown vulnerability in the Windows kernel that allows remote code execution. Microsoft is working on a fix for the kernel vulnerability right now. The exact location and nature of the flaw isn't clear right now. The installer uses a Word document to exploit the vulnerability and then install the Duqu binaries."

21 of 164 comments (clear)

  1. First post by GameboyRMH · · Score: 3, Funny

    Says it can spread over SMB shares too, but I don't think anyone in my company is dumb enough to ^H^H^H^ NO CARRIER

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  2. Word document for a remote exploit? by kervin · · Score: 2, Interesting

    I'm a little confused. Why would you need a Word document to exploit a remote vulnerability?

    1. Re:Word document for a remote exploit? by 0100010001010011 · · Score: 2

      1) Word document exploits hole.
      2) Exploited hole now allows remote code execution.
      [3) Pictures of exploited hole now show up constantly on new website "Slashdot"]

    2. Re:Word document for a remote exploit? by The+MAZZTer · · Score: 4, Informative

      It doesn't say remote vulnerability, it says remote code execution. It's probably a Word bug that allows execution of shellcode, which in turn exploits the LOCAL vulnerability in the Windows kernel for privilege elevation. "Remote" just refers to Duqu running code given to it over the network, I assume.

    3. Re:Word document for a remote exploit? by ArhcAngel · · Score: 4, Funny

      How long until this is used to create a script to jailbreak windows so we can install what we want on it?

      --
      "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
  3. Re:Word document?! by Anonymous Coward · · Score: 5, Insightful

    This kind of advice is classic. Its also pointless.
    This kind of attack 'comes' from people or sources you know (Most users are not going to check full headers) - and its spear fishing in nature - so its documents that look viable and realistic.

    This is standard stuff, not rocket science sadly. So nominal 'don't open from unknown senders' advice is pointless, worthless and about 4 years out of date.
    You can even forget about forging headers. We're well past that. They can and will use the machine of the person you expect to hear from when sending (this requires some access into the structure to do, but thats nothing unusual today in infrastructure that is too lose/insecure).

    The number of breaches is growing, the exploits are growing, and stuff like AV is having a higher percentage of failure in dealing with viruses/threats. The cyber 'threat' isn't just real. Its wide and deep, and to be honest, I'm not seeing any viable proper response to it at all. Most attempts to resolve it are akin to sticky plasters over gaping wounds, and the whole landscape tends to be getting worse as time goes by.

    And thats before you really face up to stux and its game change nature. Now its not just PCs/windows that you have to watch. And thats a whole new ballgame.

  4. Re:Is it really about market share? by Amouth · · Score: 2

    so explain to me how Apple doesn't do any of these things? you realize that for a long time now the main method of Jailbreaking their phones has been a PDF exploit that allows you to root the device.. not only is it documented and in actvice use, but it has been there for years now, and they still have not fixed it.

    --
    '...if only "Jumping to a Conclusion" was an event in the Olympics.'
  5. Re:And? by Anonymous Coward · · Score: 5, Insightful

    You did read the story correctly - right?
    You realise its an 0-day unknown exploit. (The user level is right, absolutly - users should be user class, not admins - but its a kernel vuln, thats the point sometimes.)
    You realise that gateway scanning can't and likely won't protect you from *unknown* threat vectors - right? The same applies across all the tooling (anti virus/hips/dats/defs) you quite clearly have got far too comfortable in believing in - depsite masses of evidence you need to rethink how you see this.
    When the word doc 'executes' and grabs stuff over simple port 80 - all your *I block IRC clever dick stupidity* comes undone.

    STOP thinking you have this all covered. You don't. The game has changed, and its tick - tock in the security area.

  6. Re:Word document?! by bmo · · Score: 5, Insightful

    >Once again, don't open email attachments from unknown senders.

    >unknown senders

    If I was spear phishing, it wouldn't be from an "unknown sender" - it would be "from" "someone within the company" and it would look official and it would be mandatory to read.

    For example, a "message from the COO" and the From: being from the COO's address. This is typically public knowledge or it can be gotten with social engineering. Once that's done, all bets are off because lower level employees /on pain of being fired/ are not going to ignore the email, and thus open the Word attachment.

    The "From:" header can be anything, Anon, and it can be trivially set.

    Go ahead, blame the victim. It doesn't make you any less of a douche.

    --
    BMO

  7. Re:And? by X0563511 · · Score: 3, Informative

    You understand what a zero-day is right? Scanning the attachment would have done exactly nothing useful, and have given you a false sense of security on top of it!

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  8. Re:And? by couchslug · · Score: 2

    "Next you'll be telling me that I shouldn't let filesharing ports open to the world."

    You shouldn't let filesharing ports open to the world.

    HTH!

    --
    "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
  9. HOW the HELL by v1 · · Score: 2, Interesting

    do you have a kernel security bug in a word processor?

    Normally I'd be exaggerating with a statement like this, but not this time I think: "only with Microsoft..." Every time I see something like this I can't help but think they can't possibly pull off something stupider. And yet somehow they just keep doing it.

    --
    I work for the Department of Redundancy Department.
    1. Re:HOW the HELL by Anonymous Coward · · Score: 2, Funny

      do you have a kernel security bug in a word processor?

      It's called "innovation". Microsoft has it, other companies and groups don't. While Microsoft has been busily advancing the security flaw sciences over the life of the company, the Linux and *BSD teams still consider it a major breakthrough worth front-page news whenever they develop a rare, very-special-case privilege escalation bug under certain kernel options (and only if you made stupid decisions in your other programs). And while Apple is still struggling to come up with ways to relinquish root on their systems to catch up with the state-of-the-art from ten years ago, Microsoft is blazing forward, creating new and innovative violations such as drive-by downloads in IE, invisible trojans from downloads, and now even their lowly word processor can cause a complete rooting at the kernel level.

      Microsoft. They still lead innovation.

    2. Re:HOW the HELL by Dr_Barnowl · · Score: 5, Informative

      Everything, eventually, calls kernel APIs, or it wouldn't be able to DO anything. The kernel is the only way you're going to access the file system, the hardware, etc. It would be a pretty sorry-assed word processor that couldn't save files.

      The selection of Word as an attack vector was probably influenced by a combination of...

      • Word is probably the number 1 application that most professionals open after the browser.
      • Word has the extra advantage that it's not received as much hardening as the browser.
      • Office may use some of the reputed secret API calls that MS use to give it an advantage... these may be less hardened than public ones, or just less commonly exploited, thus they are a softer target.
      • The document data structure handling code in Word is likely a total mess, as revealed in the MOO-XML specs, because it contains support for a lot of very old versions of Word, and is probably more vulnerable to exploits than other parts of Office.
    3. Re:HOW the HELL by BitZtream · · Score: 2, Informative

      You simply do not have any idea how software works, which is ironic considering you're calling them stupid. Please realize that ALL IO, be it console, gui or file goes through the kernel right?

      Your super leet little Linux box works the same way.

      All apps access the kernel API in order to function. Just starting a process is an API call. To actually do anything useful on a computer, you're talking to the kernel, its what arbitrates between all of your apps. Yes, you may have a window manager doing the lifting, but in the end, the video drivers are in the kernel space, and to make any changes to the display, you gotta talk to the kernel.

      The kernel delivers your keystrokes to the application.

      The kernel plays sound that the application asks it too.

      The kernel displays whats on your monitor.

      The kernel is the only things that talks to ANY hardware on your machine directly, everything else in useland talks to it via the kernel.

      All most all 'kernel exploits' are done via user land code. There are extremely rare exceptions like exploiting kernel netcode and such like the old winnuke, teardrop and all those did. Those directly exploit bugs in the kernel because the kernel is the first thing that handles all network activity in and out of the machine. Otherwise, your two options for exploiting the kernel are userland applications and kernel loadable modules. Well, if you can load a klm, you own the machine anyway, thats a feature, not an exploit.

      So basically the only way any exploit happens (or the vast majority of them really) is by using a userland application to make a kernel API call that can be exploited due to a bug. The kernels job is to play police officer and make sure nothing like this happens, but, its not perfect, regardless of what OS you're running, and those bugs get found, someone crafts an exploit and figures out a good vector for delivery. That may be through a network connection via Apache or IIS (these are both userland applications) or in this case, I get you to open a word doc that materializes the exploit. It doesn't even have to be a word problem, could be an image with bad data that gets loaded by the default libraries and something weird happens there, Word is just a way to start the process.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    4. Re:HOW the HELL by DeadCatX2 · · Score: 2

      Another attack vector is plug-and-play drivers. For instance, the PS3 jailbreak exploited the USB driver. That's not coming from userland.

      --
      :(){ :|:& };:
  10. Re:Must say... by johnthorensen · · Score: 4, Insightful

    I have actually been pretty impressed by the shift in Microsoft's attitude regarding malware in recent years. Not only are vulnerabilities handled more transparently (though, I suspect, not as transparently as they could be), but they've taken an aggressive stance in going after those like botnet providers who are exploiting the exploits. Seems like they finally woke up to the fact that vulnerabilities actually detract from the value of their product.

  11. Re:There is already a fix out: by SadButTrue · · Score: 4, Informative

    wipe your disk and reinstall anything but Windows.

    FTFY

    --
    grape - the GNU free, open source rape
  12. Re:Article is FUD. Requires user running as root. by LordLimecat · · Score: 3, Insightful

    and it's still not horribly uncommon that users have local Admin rights due to some old junk software they are trying to run that will only run with Admin privileges locally.

    Someone wasnt paying attention during the Vista / 7 coverage. Neither one lets you "just have admin" unless you do a ton of tinkering to completely disable UAC, which in my experience (covering a rather large user base over many companies and households) is incredibly niche. Even if you log in as Administrator, you do not have root unless you go through a UAC prompt.

    On XP, you are right, but I believe the XP marketshare is getting smaller every day.

  13. Fitting fortune by jad4 · · Score: 2

    I saw this next to the story:

    It is important to note that probably no large operating system using current
    design technology can withstand a determined and well-coordinated attack,
    and that most such documented penetrations have been remarkably easy.
    -- B. Hebbard, "A Penetration Analysis of the Michigan Terminal System",
    Operating Systems Review, Vol. 14, No. 1, June 1980, pp. 7-20

  14. Re:Article is FUD. Requires user running as root. by krinderlin · · Score: 2

    I shouldn't have to be admin on my computer at my job. In fact, they took those rights away from me once. The conversation at 2 a.m. was pretty awesome:

    "I can't log on to the VPN from here."

    "Well they took away my admin rights and the Juniper VPN plug-in won't run."

    Yeah, I'd love to come into the office, but I'm in Florida for the weekend. Atlanta's a bit far away, and I'm on my third vodka and tonic."

    "I don't have enough money in my checking account to cover a plane ticket that you'll reimburse me for next month. It'd be a few days to get it transferred from my savings account at another bank."

    "I guess you'll just have to find someone who can work on it. Have you tried turning it off and on again? Is it definitely plugged in?"

    "You've SEEN THAT SHOW?!?! I love you. Oh hold on, people are getting naked in the pool, ciao!"