Critical Windows zero-day bug exploited by Duqu The Duqu malware used to steal sensitive data from manufacturers of industrial systems exploits at least one previously unknown vulnerability in the kernel of Microsoft Windows, Hungarian researchers said. The zero-day vulnerability was triggered by a booby-trapped Word document that was recently discovered by researchers from …
If Symantec's little flowchart is accurate, the injection would fail at the "Shellcode executes driver" step because the user said shellcode is running as wouldn't have permissions to add drivers or manipulate the kernel. Maybe it'd throw a UAC prompt up.
One of Symantec's own anti-Duqu recommendations is:
"Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application."
If you take Symantec at face value, this workaround is a full stop for the thing. Their threat assessment of "Very Low" is also Very Telling.
@Gordon Fecyk: "the injection would fail at the "Shellcode executes driver" step because the user said shellcode is running as wouldn't have permissions to add drivers or manipulate the kernel"
Seems clear the installer uses 'a previously unknown kernel vulnerability that allows code execution` that runs at admin privilage without prompting the user.
"The installer file is a Microsoft Word document (.doc) that exploits a previously unknown kernel vulnerability that allows code execution .. Duqu is able to get a foothold in an organization through the zero-day exploit".
Look up "OLE for process control". It's an "open standard" for industrial process control. To get the specifications you need to be a member. Membership starts at $1500 a year. Documents are in PDF (at least) but the provided videos are in strange early 1990s codecs.
Of course the standard is based on DCOM which is an obsolete Windows technology. (A new technology based on TCP/IP is being developed now called OPC UA)
So seriously I doubt they would have needed to exploit Word. Someone who spends a lot of money on such system probably doesn't understand the slightest bit of security. You could most likely just have send them a greeting card in an encrypted ZIP file.
For security purpose, a computer connected to the internet is a computer that can communicate with a computer connected to the internet (yes, that's a bit of a recursive definition, I know). Even if it is not supposed to be able to talkTCP/IP to the outside world.
The only safe zone there is is an ivory tower. No datalink whatsoever. And then strong physical security.
A Safe Computing Enclave could be networked - one just has to make sure the routers are properly configured to isolate from the general internet and to encrypt traffic outside the trusted areas.
Of course that requires trust into the routers, but that is much less than trusting all the application software from the likes of Oracle, Adobe and Microsoft.
you haven't been keeping up with your reg reading. Just the other day they posted an article about a wireless hack that lets you spit an endless stream of cash out of an ATM.
The banks just eat the cost to avoid the bad PR. Sort of like they sometimes do with identity theft cases. I can testify to one such ID theft case. A co-worker who never uses an ATM was having money withdrawn from his account by ATM. After being able to prove he never requested or received an ATM, the bank refunded all the "erroneous" ATM withdrawls and associated bank charges. No police report was ever filed in an attempt to apprehend the culprits.
...wouldn't Symantec's acquisition of Messagelabs and their flagship Skeptic product save us? Or did the acquisition somehow remove the "100% virus detection guarantee?" Strange code in an otherwise harmless document would set off Skeptic's alarms before. Why not now?
Or are we all doomed? Can't Symantec save us?
To GET that malicious payload through, unsuspected, the attacker could send a compelling video payload. The recipient could then fall victim by just "having to have it to see it play", and then follows a stealthy URL set up by the intending penetrator. The URL for the video loads the dodgy code, to prepare the way for the later-installed remote control payload. THEN, admin or not, if the user is permitted to selectively swtich into and out of admin mode "to get work done", that laxity could be exploited.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
