Microsoft Issues Fix to Keep Duqu at Bay
Nov 7, 2011 6:00 AM PT
Microsoft on Friday released a temporary fix for a Microsoft Word vulnerability that allows the Duqu worm to attack PCs.
The flaw, in TrueType font parsing, could let an attacker run arbitrary code in kernel mode, installing programs; view, change or delete data; or create new accounts with full user rights, Microsoft said.
The vendor stated that it's aware of targeted attacks that try to use the vulnerability, but there hasn't been much impact on Windows users so far.
"It's important to note that the associated risk is minimal for the public," Jerry Bryant, group manager, response communications, Microsoft Trustworthy Computing, told TechNewsWorld.
However, the patch only deals with the Microsoft Word side of the equation; users will still be vulnerable to Duqu malware unless they update their security software.
"The zero-day vulnerability being discussed in connection to Duqu is not actually in the Duqu malware; it's part of an installer application that was used to install the malware in at least one instance that Symantec is aware of," Kevin Haley, director of Symantec Security Response, told TechNewsWorld.
"Therefore, a patch to remedy the software vulnerability will not protect against the actual Duqu malware," Haley added.
The Trials of TrueType
The TrueType flaw affects Windows XP, Windows 7, Windows Vista and Windows Server 2003 and 2008. However, Windows Server 2008 R2 for Itanium-based systems and Itanium-based Systems Service Pack 1 Server Core installation are not affected.
Microsoft has warned that the emergency patch it has issued for the TrueType vulnerability is not intended to be a replacement for any security updates but is offered as a workaround option instead.
This is the second flaw discovered in the TrueType parsing engine recently.
Only last month, Microsoft issued a security update to fix a flaw in the parsing engine that could let hackers conduct denial of service attacks on Windows PCs.
Microsoft's emergency patch for the TrueType flaw comes ahead of this month's Patch Tuesday.
"Whenever an unpatched software vulnerability is actively being used in attacks, best practices dictate that a software update should be issued as soon as possible," Symantec's Haley pointed out.
Self-Defense Against Duqu
So far, attacks involving Duqu consist of a Microsoft Word attachment that contains the malware.
Microsoft said users must open the attachment to launch the Duqu attack.
Since the vendor's temporary patch only fixes the Microsoft World vulnerability, Duqu could use other vehicles instead, such as PDF or Excel attachments, for example.
However, updating security software could protect users.
"Fortunately, most security vendors already detect and block the main Duqu files, thereby preventing an attack," Symantec's Haley said.
Measures Microsoft recommends users take to protect themselves against Duqu include enabling a firewall on their computers, getting the latest updates for all their software, using up-to-date antivirus software, limiting user privileges on their computers, being careful when opening attachments and clicking on links to Web pages, and using strong passwords.
What's a Duqu Anyhow?
Duqu was discovered last month by CrySyS, the cryptography and system security lab at the Budapest University of Technology and Economics.
Symantec, which analyzed Duqu samples, confirmed CrySyS' initial assessment that the malware was likely written by the same people who created the highly dangerous Stuxnet worm, which had infiltrated Iranian nuclear installations.
Duqu is primarily a remote access Trojan, it doesn't self-replicate, and it was highly targeted toward a limited number of organizations for their specific assets, Symantec found.
"We know of multiple companies which have been targeted," Symantec's Haley said. "They are suppliers to industrial facilities, and other organizations outside the industrial sector."
However, he declined to name the target companies.