Forgot your password?
typodupeerror
Microsoft Security Windows IT

Duqu Installer Exploits Windows Kernel Zero Day 164

Posted by Unknown Lamer
from the windows-industrial-control-edition dept.
Trailrunner7 writes with an excerpt from Threatpost: "A newly discovered installer for the Duqu malware includes an exploit for a previously unknown vulnerability in the Windows kernel that allows remote code execution. Microsoft is working on a fix for the kernel vulnerability right now. The exact location and nature of the flaw isn't clear right now. The installer uses a Word document to exploit the vulnerability and then install the Duqu binaries."
This discussion has been archived. No new comments can be posted.

Duqu Installer Exploits Windows Kernel Zero Day

Comments Filter:
  • First post (Score:4, Funny)

    by GameboyRMH (1153867) <gameboyrmh@@@gmail...com> on Wednesday November 02, 2011 @10:58AM (#37920416) Journal

    Says it can spread over SMB shares too, but I don't think anyone in my company is dumb enough to ^H^H^H^ NO CARRIER

  • by kervin (64171) on Wednesday November 02, 2011 @10:59AM (#37920434) Homepage

    I'm a little confused. Why would you need a Word document to exploit a remote vulnerability?

    • to access undocumented APIs.

      MS has been known to used them.

    • 1) Word document exploits hole.
      2) Exploited hole now allows remote code execution.
      [3) Pictures of exploited hole now show up constantly on new website "Slashdot"]

    • by The MAZZTer (911996) <megazzt@gm[ ].com ['ail' in gap]> on Wednesday November 02, 2011 @11:04AM (#37920530) Homepage
      It doesn't say remote vulnerability, it says remote code execution. It's probably a Word bug that allows execution of shellcode, which in turn exploits the LOCAL vulnerability in the Windows kernel for privilege elevation. "Remote" just refers to Duqu running code given to it over the network, I assume.
    • Re: (Score:2, Flamebait)

      by billcopc (196330)

      What, you don't open ports to your passwordless MS terminal server ?

      It's a Word document, which means it exploits a weakness in MS word to deliver the payload.

      But seriously, what is this, Digg ? Who is this "Unknown Lamer" and why doesn't he go fuck himself ? We used to have standards around here...

    • by AftanGustur (7715)

      I'm a little confused. Why would you need a Word document to exploit a remote vulnerability?

      From the FA:
      "The installer, discovered by researchers at the Hungarian lab that first found Duqu, is a Word document that, once opened, exploits the kernel flaw and then installs the Duqu code on the machine. "

      The answer, my dear Watson, is that it is much easier to get people to click on a .doc email attachment, than it is to get them to click on a .exe

  • I'm impressed Microsoft even acknowledged it. Years ago they would have buried this news, claiming anyone reporting on it was aiding terrorists. I'm looking forward to the fix, when they roll it out in a couple of months.

    • by hedwards (940851)

      Well, that can mean anything except one thing. Today isn't opposite day.

    • Re:Must say... (Score:5, Insightful)

      by johnthorensen (539527) on Wednesday November 02, 2011 @11:41AM (#37921068)

      I have actually been pretty impressed by the shift in Microsoft's attitude regarding malware in recent years. Not only are vulnerabilities handled more transparently (though, I suspect, not as transparently as they could be), but they've taken an aggressive stance in going after those like botnet providers who are exploiting the exploits. Seems like they finally woke up to the fact that vulnerabilities actually detract from the value of their product.

      • More like they actually have competition making them sweat a bit (no I'm not talking about the hypothetical year of the linux desktop, I'm talking about the actually approaching significant decline in use of the home PC). I still have to say I'm a bit nervous on them going after botnets directly, not because I don't want those scumbags shut down and/or put behind bars, but because corporations playing vigilantes in general is a bit nerve-wracking. What we approve for one company in one circumstance, is appr
  • And? (Score:1, Troll)

    by ledow (319597)

    I'm sorry, but anyone that lets their Windows / internal servers be contacted by arbitrary packets from the Internet, or their systems allow execution by ordinary users of (at the very minimum, unscanned) email attachments, deserves everything they get.

    This isn't news now and wasn't back 20 years ago. If you have to do more than just in a "just-in-case" firewall rule into your network equipment that automatically blocks this particular attack from local users (and which should be impossible to execute dire

    • Re:And? (Score:5, Insightful)

      by Anonymous Coward on Wednesday November 02, 2011 @11:25AM (#37920838)

      You did read the story correctly - right?
      You realise its an 0-day unknown exploit. (The user level is right, absolutly - users should be user class, not admins - but its a kernel vuln, thats the point sometimes.)
      You realise that gateway scanning can't and likely won't protect you from *unknown* threat vectors - right? The same applies across all the tooling (anti virus/hips/dats/defs) you quite clearly have got far too comfortable in believing in - depsite masses of evidence you need to rethink how you see this.
      When the word doc 'executes' and grabs stuff over simple port 80 - all your *I block IRC clever dick stupidity* comes undone.

      STOP thinking you have this all covered. You don't. The game has changed, and its tick - tock in the security area.

      • by Gilmoure (18428)

        * golf clap *

      • by Dr. Spork (142693)
        Yeah, I'm afraid you're right and I don't like it. Antivirus programs now are an incredible PITA already - in many cases, they degrade the system more than do viruses. If this really is tick-tock in the security area, I dread to contemplate what "tock" the security companies will come up with in answer to this kind of thing.
    • Re:And? (Score:4, Informative)

      by X0563511 (793323) on Wednesday November 02, 2011 @11:33AM (#37920948) Homepage Journal

      You understand what a zero-day is right? Scanning the attachment would have done exactly nothing useful, and have given you a false sense of security on top of it!

    • by couchslug (175151)

      "Next you'll be telling me that I shouldn't let filesharing ports open to the world."

      You shouldn't let filesharing ports open to the world.

      HTH!

    • Clearly, you didn't read the article. The document attachment won't trigger your scanner, because it exploits an unpublicized kernel vulnerability. Because it's a kernel vulnerability, it's quite unlikely privilege separation will help you. So unless you forbid people to get any and all .doc/.docx files from any source, you are vulnerable to something like this.

      So ... you do block all possible access to .docx files, right? Or maybe you need to realize that your 20 year old security rules that aren't 20 year

      • by adonoman (624929)
        Does this apply to docx files, or just doc/docm files? The newer word version have removed macro functionality from the docx files, and require you to use docm files for any of that. 2007/2010 also refuse to run macros on any kind of files from non-trusted locations. Or is this an old-fashioned exploit that relies on a buffer overflow or such in a non-macro document?
      • Because it's a kernel vulnerability, it's quite unlikely privilege separation will help you.

        Im not seeing why it follows that kernel vulns do not require root to do their worst. The kernel interacts with userland as much as anything else, right?

  • Borg Bill is gone! (Score:1, Interesting)

    by Anonymous Coward
    Hey! Where is Borg Bill? Put it back right now!
    • by Jeng (926980)

      No, Borg Bill should have been retired long long ago, but I disagree with what has replaced it.

      Instead what I would like to see is a dancing monkey throwing chairs.

      • by lgw (121541)

        Never have I agreed more with a /. comment. Give me chair throwing monkey now!

  • "A newly discovered installer for the Duqu malware includes an exploit for a previously unknown vulnerability in the Windows kernel that allows remote code execution." It's an exploit embedded inside a Word document. You can't get more local then that.
  • HOW the HELL (Score:3, Interesting)

    by v1 (525388) on Wednesday November 02, 2011 @11:37AM (#37920998) Homepage Journal

    do you have a kernel security bug in a word processor?

    Normally I'd be exaggerating with a statement like this, but not this time I think: "only with Microsoft..." Every time I see something like this I can't help but think they can't possibly pull off something stupider. And yet somehow they just keep doing it.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      do you have a kernel security bug in a word processor?

      It's called "innovation". Microsoft has it, other companies and groups don't. While Microsoft has been busily advancing the security flaw sciences over the life of the company, the Linux and *BSD teams still consider it a major breakthrough worth front-page news whenever they develop a rare, very-special-case privilege escalation bug under certain kernel options (and only if you made stupid decisions in your other programs). And while Apple is still struggling to come up with ways to relinquish root on t

    • Re:HOW the HELL (Score:5, Informative)

      by Dr_Barnowl (709838) on Wednesday November 02, 2011 @12:13PM (#37921494)

      Everything, eventually, calls kernel APIs, or it wouldn't be able to DO anything. The kernel is the only way you're going to access the file system, the hardware, etc. It would be a pretty sorry-assed word processor that couldn't save files.

      The selection of Word as an attack vector was probably influenced by a combination of...

      • Word is probably the number 1 application that most professionals open after the browser.
      • Word has the extra advantage that it's not received as much hardening as the browser.
      • Office may use some of the reputed secret API calls that MS use to give it an advantage... these may be less hardened than public ones, or just less commonly exploited, thus they are a softer target.
      • The document data structure handling code in Word is likely a total mess, as revealed in the MOO-XML specs, because it contains support for a lot of very old versions of Word, and is probably more vulnerable to exploits than other parts of Office.
      • by yuhong (1378501)

        Yea, during year 2006, Office in fact was a big target of zero-day attacks [zdnet.com], forcing MS to released Office 2003 SP3 in Sept 2007, and also MOICE around the same time which converts files to OOXML in a sandbox before opening it. Later MS introduced Office File Protection in Office 2010 and later backported this to 2003/2007 which validates Office binary formats before opening it.

    • Re: (Score:3, Informative)

      by BitZtream (692029)

      You simply do not have any idea how software works, which is ironic considering you're calling them stupid. Please realize that ALL IO, be it console, gui or file goes through the kernel right?

      Your super leet little Linux box works the same way.

      All apps access the kernel API in order to function. Just starting a process is an API call. To actually do anything useful on a computer, you're talking to the kernel, its what arbitrates between all of your apps. Yes, you may have a window manager doing the lif

      • by tlhIngan (30335)

        In Linux, a kernel exploit from an application is also known as a "priviledge escalation" bug. Basically, a non-root user exploits the kernel in some way and gets root priviledges.

        And yes, there have been many of those - usually some combination of oddball flags and little used options leading to an overflow.

        And no, forcing the user to do the escalation for you don't count.

        • So those WinNuke etc network-based attacks are known as "privilege escalation"? In school we were taught that those were categorized as DoS, not escalation.

      • by DeadCatX2 (950953)

        Another attack vector is plug-and-play drivers. For instance, the PS3 jailbreak exploited the USB driver. That's not coming from userland.

    • You don't have a kernel security bug in the word processor, you have it in the kernel.

      The word processor makes kernel calls all the time; usually wrapped in crt.dll and cpp.dll calls but it's kernel calls in the end.

      Opening a file and locking a file requires a kernel call.

      • by v1 (525388)

        so it's (A) a kernel bug with a kernel API, and (B) an application bug that passes the exploit on to the kernel? So it's not one bug, but two, one in the kernel and one in the app?

        • by lgw (121541)

          No app bug needed, most likely. I have no idea what the bug is, but it could be something like trying to save a file with a really creative filename, or otherwise coercing Word into calling whatever kernel API with your exploitive string, which is just normal data in the document from Word's point of view.

          It's really not the apps job to police the kernel APIs - they had damn well better sanitize their own inputs (and normally do, of course).

          • by v1 (525388)

            It's really not the apps job to police the kernel APIs - they had damn well better sanitize their own inputs (and normally do, of course).

            Just like all those SQL-using web apps. that's been such an effective solution there, leaving security in the hands of the application developers.

            • by lgw (121541)

              Different worlds. I've never heard of a SQL-injection attack that worked with stored procedures, which is the better analogy here. If you're not religiously checking your inputs for validity, kernel programming is not the career for you.

  • wipe your disk and reinstall Windows.
  • So your company lost all its marketing, production & engineering documents for your trade secret widgets & it was due to a Microsoft bug.

    Is Microsoft responsible for allowing a Word condition allowing executables in or the Windows OS for having holes?

    Or is your company responsible for the total loss of its trade secret intellectual property?

    Now who do the aggrieved shareholders sue?

    • They should be but their EULA means they're no responsible for anything even if their software causes your building to burn down.
  • #666 Fall prey to exploit like docx
  • I saw this next to the story:

    It is important to note that probably no large operating system using current
    design technology can withstand a determined and well-coordinated attack,
    and that most such documented penetrations have been remarkably easy.
    -- B. Hebbard, "A Penetration Analysis of the Michigan Terminal System",
    Operating Systems Review, Vol. 14, No. 1, June 1980, pp. 7-20

How many NASA managers does it take to screw in a lightbulb? "That's a known problem... don't worry about it."

Working...