Slashdot Mirror

← Back to Stories (view on slashdot.org)

Duqu Installer Exploits Windows Kernel Zero Day

Posted by Unknown on from the windows-industrial-control-edition dept.

Trailrunner7 writes with an excerpt from Threatpost: "A newly discovered installer for the Duqu malware includes an exploit for a previously unknown vulnerability in the Windows kernel that allows remote code execution. Microsoft is working on a fix for the kernel vulnerability right now. The exact location and nature of the flaw isn't clear right now. The installer uses a Word document to exploit the vulnerability and then install the Duqu binaries."

11 of 164 comments (clear)

  1. First post by GameboyRMH · · Score: 3, Funny

    Says it can spread over SMB shares too, but I don't think anyone in my company is dumb enough to ^H^H^H^ NO CARRIER

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  2. Re:Word document for a remote exploit? by The+MAZZTer · · Score: 4, Informative

    It doesn't say remote vulnerability, it says remote code execution. It's probably a Word bug that allows execution of shellcode, which in turn exploits the LOCAL vulnerability in the Windows kernel for privilege elevation. "Remote" just refers to Duqu running code given to it over the network, I assume.

  3. Re:Word document?! by Anonymous Coward · · Score: 5, Insightful

    This kind of advice is classic. Its also pointless.
    This kind of attack 'comes' from people or sources you know (Most users are not going to check full headers) - and its spear fishing in nature - so its documents that look viable and realistic.

    This is standard stuff, not rocket science sadly. So nominal 'don't open from unknown senders' advice is pointless, worthless and about 4 years out of date.
    You can even forget about forging headers. We're well past that. They can and will use the machine of the person you expect to hear from when sending (this requires some access into the structure to do, but thats nothing unusual today in infrastructure that is too lose/insecure).

    The number of breaches is growing, the exploits are growing, and stuff like AV is having a higher percentage of failure in dealing with viruses/threats. The cyber 'threat' isn't just real. Its wide and deep, and to be honest, I'm not seeing any viable proper response to it at all. Most attempts to resolve it are akin to sticky plasters over gaping wounds, and the whole landscape tends to be getting worse as time goes by.

    And thats before you really face up to stux and its game change nature. Now its not just PCs/windows that you have to watch. And thats a whole new ballgame.

  4. Re:Word document for a remote exploit? by ArhcAngel · · Score: 4, Funny

    How long until this is used to create a script to jailbreak windows so we can install what we want on it?

    --
    "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
  5. Re:And? by Anonymous Coward · · Score: 5, Insightful

    You did read the story correctly - right?
    You realise its an 0-day unknown exploit. (The user level is right, absolutly - users should be user class, not admins - but its a kernel vuln, thats the point sometimes.)
    You realise that gateway scanning can't and likely won't protect you from *unknown* threat vectors - right? The same applies across all the tooling (anti virus/hips/dats/defs) you quite clearly have got far too comfortable in believing in - depsite masses of evidence you need to rethink how you see this.
    When the word doc 'executes' and grabs stuff over simple port 80 - all your *I block IRC clever dick stupidity* comes undone.

    STOP thinking you have this all covered. You don't. The game has changed, and its tick - tock in the security area.

  6. Re:Word document?! by bmo · · Score: 5, Insightful

    >Once again, don't open email attachments from unknown senders.

    >unknown senders

    If I was spear phishing, it wouldn't be from an "unknown sender" - it would be "from" "someone within the company" and it would look official and it would be mandatory to read.

    For example, a "message from the COO" and the From: being from the COO's address. This is typically public knowledge or it can be gotten with social engineering. Once that's done, all bets are off because lower level employees /on pain of being fired/ are not going to ignore the email, and thus open the Word attachment.

    The "From:" header can be anything, Anon, and it can be trivially set.

    Go ahead, blame the victim. It doesn't make you any less of a douche.

    --
    BMO

  7. Re:And? by X0563511 · · Score: 3, Informative

    You understand what a zero-day is right? Scanning the attachment would have done exactly nothing useful, and have given you a false sense of security on top of it!

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  8. Re:Must say... by johnthorensen · · Score: 4, Insightful

    I have actually been pretty impressed by the shift in Microsoft's attitude regarding malware in recent years. Not only are vulnerabilities handled more transparently (though, I suspect, not as transparently as they could be), but they've taken an aggressive stance in going after those like botnet providers who are exploiting the exploits. Seems like they finally woke up to the fact that vulnerabilities actually detract from the value of their product.

  9. Re:There is already a fix out: by SadButTrue · · Score: 4, Informative

    wipe your disk and reinstall anything but Windows.

    FTFY

    --
    grape - the GNU free, open source rape
  10. Re:HOW the HELL by Dr_Barnowl · · Score: 5, Informative

    Everything, eventually, calls kernel APIs, or it wouldn't be able to DO anything. The kernel is the only way you're going to access the file system, the hardware, etc. It would be a pretty sorry-assed word processor that couldn't save files.

    The selection of Word as an attack vector was probably influenced by a combination of...

    • Word is probably the number 1 application that most professionals open after the browser.
    • Word has the extra advantage that it's not received as much hardening as the browser.
    • Office may use some of the reputed secret API calls that MS use to give it an advantage... these may be less hardened than public ones, or just less commonly exploited, thus they are a softer target.
    • The document data structure handling code in Word is likely a total mess, as revealed in the MOO-XML specs, because it contains support for a lot of very old versions of Word, and is probably more vulnerable to exploits than other parts of Office.
  11. Re:Article is FUD. Requires user running as root. by LordLimecat · · Score: 3, Insightful

    and it's still not horribly uncommon that users have local Admin rights due to some old junk software they are trying to run that will only run with Admin privileges locally.

    Someone wasnt paying attention during the Vista / 7 coverage. Neither one lets you "just have admin" unless you do a ton of tinkering to completely disable UAC, which in my experience (covering a rather large user base over many companies and households) is incredibly niche. Even if you log in as Administrator, you do not have root unless you go through a UAC prompt.

    On XP, you are right, but I believe the XP marketshare is getting smaller every day.