Microsoft Releases Temporary Plug For Duqu
In releasing the workaround late Thursday, Microsoft officially confirmed the existence of the zero-day vulnerability exploited by the Duqu Trojan. The flaw is in the Win32k TrueType font parsing engine, where the vulnerability can be used to run code in kernel mode, the company says. Such access could enable an attacker to install programs, change or delete data, or create new user accounts with full rights to a system.
The latest release, called Security Advisory 2639658, is a "fix it" that provides enterprises with one-click installation of a workaround to block the installation of malware. Microsoft said detailed information on how to detect malware trying to exploit the vulnerability would be released to anti-virus companies, which were expected to update their products within hours.
"Additionally, our engineering teams determined the root cause of this vulnerability, and we are working to produce a high-quality security update to address it," Microsoft said. The permanent patch would be published through the company's regular monthly security releases, but not in this month's distribution set for Tuesday.
The Budapest University of Technology and Economics in Hungary reported the Duqu-targeted flaw this month, after the school's lab recovered the malware's installer. Symantec, which along with Microsoft was given a copy of the installer, reported that the application had been hidden in a Word document and distributed via email in an attempt to trick recipients into opening the file.
Duqu's code similarities to Stuxnet has led some experts to believe that both malware were created by the same team of developers, a theory that is not embraced universally.
Experts do agree that Duqu doesn't have the destructive capabilities of Stuxnet. Rather, the malware is geared more toward gathering information and sending it to a command-and-control server where the data can be accessed by hackers to mount future attacks.
Stuxnet, first discovered in June 2010, targeted Siemens industrial equipment running Windows. Nearly 60 percent of infected systems worldwide were in Iran, where the malware is believed to have damaged control systems in the country's nuclear facility.
Duqu, reported in 12 countries, has also been targeted at specific industrial facilities. Security experts have refused to identify the victims, which have not been in the United States.