How about... not running Word as an admin?
If Symantec's little flowchart is accurate, the injection would fail at the "Shellcode executes driver" step because the user said shellcode is running as wouldn't have permissions to add drivers or manipulate the kernel. Maybe it'd throw a UAC prompt up.
One of Symantec's own anti-Duqu recommendations is:
"Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application."
If you take Symantec at face value, this workaround is a full stop for the thing. Their threat assessment of "Very Low" is also Very Telling.