Duqu Installer Exploits Windows Kernel Zero Day 164
Trailrunner7 writes with an excerpt from Threatpost: "A newly discovered installer for the Duqu malware includes an exploit for a previously unknown vulnerability in the Windows kernel that allows remote code execution. Microsoft is working on a fix for the kernel vulnerability right now. The exact location and nature of the flaw isn't clear right now. The installer uses a Word document to exploit the vulnerability and then install the Duqu binaries."
Re:Why / How? (Score:1, Insightful)
Re:Word document?! (Score:5, Insightful)
This kind of advice is classic. Its also pointless.
This kind of attack 'comes' from people or sources you know (Most users are not going to check full headers) - and its spear fishing in nature - so its documents that look viable and realistic.
This is standard stuff, not rocket science sadly. So nominal 'don't open from unknown senders' advice is pointless, worthless and about 4 years out of date.
You can even forget about forging headers. We're well past that. They can and will use the machine of the person you expect to hear from when sending (this requires some access into the structure to do, but thats nothing unusual today in infrastructure that is too lose/insecure).
The number of breaches is growing, the exploits are growing, and stuff like AV is having a higher percentage of failure in dealing with viruses/threats. The cyber 'threat' isn't just real. Its wide and deep, and to be honest, I'm not seeing any viable proper response to it at all. Most attempts to resolve it are akin to sticky plasters over gaping wounds, and the whole landscape tends to be getting worse as time goes by.
And thats before you really face up to stux and its game change nature. Now its not just PCs/windows that you have to watch. And thats a whole new ballgame.
Re:And? (Score:5, Insightful)
You did read the story correctly - right?
You realise its an 0-day unknown exploit. (The user level is right, absolutly - users should be user class, not admins - but its a kernel vuln, thats the point sometimes.)
You realise that gateway scanning can't and likely won't protect you from *unknown* threat vectors - right? The same applies across all the tooling (anti virus/hips/dats/defs) you quite clearly have got far too comfortable in believing in - depsite masses of evidence you need to rethink how you see this.
When the word doc 'executes' and grabs stuff over simple port 80 - all your *I block IRC clever dick stupidity* comes undone.
STOP thinking you have this all covered. You don't. The game has changed, and its tick - tock in the security area.
Re:Word document?! (Score:5, Insightful)
>Once again, don't open email attachments from unknown senders.
>unknown senders
If I was spear phishing, it wouldn't be from an "unknown sender" - it would be "from" "someone within the company" and it would look official and it would be mandatory to read.
For example, a "message from the COO" and the From: being from the COO's address. This is typically public knowledge or it can be gotten with social engineering. Once that's done, all bets are off because lower level employees /on pain of being fired/ are not going to ignore the email, and thus open the Word attachment.
The "From:" header can be anything, Anon, and it can be trivially set.
Go ahead, blame the victim. It doesn't make you any less of a douche.
--
BMO
Re:Must say... (Score:5, Insightful)
I have actually been pretty impressed by the shift in Microsoft's attitude regarding malware in recent years. Not only are vulnerabilities handled more transparently (though, I suspect, not as transparently as they could be), but they've taken an aggressive stance in going after those like botnet providers who are exploiting the exploits. Seems like they finally woke up to the fact that vulnerabilities actually detract from the value of their product.
Re:Article is FUD. Requires user running as root. (Score:4, Insightful)
and it's still not horribly uncommon that users have local Admin rights due to some old junk software they are trying to run that will only run with Admin privileges locally.
Someone wasnt paying attention during the Vista / 7 coverage. Neither one lets you "just have admin" unless you do a ton of tinkering to completely disable UAC, which in my experience (covering a rather large user base over many companies and households) is incredibly niche. Even if you log in as Administrator, you do not have root unless you go through a UAC prompt.
On XP, you are right, but I believe the XP marketshare is getting smaller every day.
Re:Why / How? (Score:2, Insightful)
This is old news. Microsoft Office was probably the largest vector for computer virus infections in the mid 90s. VBA means that opening your document can pretty much do anything since it can hook into Win32 and 99% of users ran as administrators.
Nowadays, Windows users aren't admins by default, and there are some protections to prevent macros from being run without your permission, but all that stuff is still in there. Office has always been a de facto part of the OS because the only way Microsoft could ever compete was to build secret doors into Windows that would allow their apps to do things their competitors couldn't.
Although MS has gotten better about these sorts of criminally incompetent things, they were all built in from the ground floor, so they'll never be completely eliminated until we get Windows "NTNT".