Duqu Installer Exploits Windows Kernel Zero Day 164
Trailrunner7 writes with an excerpt from Threatpost: "A newly discovered installer for the Duqu malware includes an exploit for a previously unknown vulnerability in the Windows kernel that allows remote code execution. Microsoft is working on a fix for the kernel vulnerability right now. The exact location and nature of the flaw isn't clear right now. The installer uses a Word document to exploit the vulnerability and then install the Duqu binaries."
First post (Score:4, Funny)
Says it can spread over SMB shares too, but I don't think anyone in my company is dumb enough to ^H^H^H^ NO CARRIER
How would a Windows virus infect a Nintendo game? (Score:2)
Re: (Score:2)
if it infected ds roms, that would be friggin brilliant.
Re: (Score:2)
Well, its a good thing the network protocol sanitizes the files you share with it. Its very reassuring that the virus cant simply place that infected document onto NFS and spread that way.
Seriously, do you really think that has any relevance to the issue?
Word document for a remote exploit? (Score:3, Interesting)
I'm a little confused. Why would you need a Word document to exploit a remote vulnerability?
Re: (Score:1)
to access undocumented APIs.
MS has been known to used them.
Re: (Score:3)
1) Word document exploits hole.
2) Exploited hole now allows remote code execution.
[3) Pictures of exploited hole now show up constantly on new website "Slashdot"]
Reverse the exploited hole (Score:2, Funny)
Re: (Score:1)
lol reverse goatse.
Re: (Score:2)
Depends what type of hole you are talking about, I have been here since you have, and seen plenty of Aholes!
Re:Word document for a remote exploit? (Score:5, Informative)
Re:Word document for a remote exploit? (Score:5, Funny)
Re: (Score:2)
Does this affect OpenOffice/LibreOffice? (Score:2)
I haven't seen any mention of whether the document attack vector affects OpenOffice and LibreOffice users as well.
Re: (Score:2, Flamebait)
What, you don't open ports to your passwordless MS terminal server ?
It's a Word document, which means it exploits a weakness in MS word to deliver the payload.
But seriously, what is this, Digg ? Who is this "Unknown Lamer" and why doesn't he go fuck himself ? We used to have standards around here...
Re: (Score:2)
I'm a little confused. Why would you need a Word document to exploit a remote vulnerability?
From the FA:
"The installer, discovered by researchers at the Hungarian lab that first found Duqu, is a Word document that, once opened, exploits the kernel flaw and then installs the Duqu code on the machine. "
The answer, my dear Watson, is that it is much easier to get people to click on a .doc email attachment, than it is to get them to click on a .exe
Re: (Score:2)
By root you mean Administrator privileges and it's still not horribly uncommon that users have local Admin rights due to some old junk software they are trying to run that will only run with Admin privileges locally.
I wonder if this bug is XP only or XP/Vista/7. If it Vista/7, will UAC stop it?
This article is light on details and doesn't give Admins alot to work with. Microsoft generally will release KB articles describing the exploit and workaround/prevention methods to prevent it.
Re:Article is FUD. Requires user running as root. (Score:4, Insightful)
and it's still not horribly uncommon that users have local Admin rights due to some old junk software they are trying to run that will only run with Admin privileges locally.
Someone wasnt paying attention during the Vista / 7 coverage. Neither one lets you "just have admin" unless you do a ton of tinkering to completely disable UAC, which in my experience (covering a rather large user base over many companies and households) is incredibly niche. Even if you log in as Administrator, you do not have root unless you go through a UAC prompt.
On XP, you are right, but I believe the XP marketshare is getting smaller every day.
Re: (Score:2)
The problem I foresee with this is that in Win 7, once you hit yes to a UAC prompt, it caches that yes for a bit. It works kind of like Ubuntu in that respect.
Re: (Score:2)
I shouldn't have to be admin on my computer at my job. In fact, they took those rights away from me once. The conversation at 2 a.m. was pretty awesome:
"I can't log on to the VPN from here."
"Well they took away my admin rights and the Juniper VPN plug-in won't run."
Yeah, I'd love to come into the office, but I'm in Florida for the weekend. Atlanta's a bit far away, and I'm on my third vodka and tonic."
"I don't have enough money in my checking account to cover a plane ticket that you'll reimburse me for n
Re: (Score:2)
Not correct. I believe out of the box the "administrator" account is disabled on Vista and 7. They forced people to do non-admin, which was what the entire UAC debacle in vista was about.
Re: (Score:2)
Is it really? (Score:2)
The article says kernel exploit. Many user-land calls are wrappers for kernel-land functions. If this was some undocumented API call in Word, then the exploited function might not validate inputs very well.
Re: (Score:2)
I'll be the first to admit, I don't really know much about Duqu in particular or what kernel exploit it used. In my head, I imagined a kernel function that took a LPSTR type input and didn't bother checking to see how long it was (classic buffer overflow). It's probably more complicated than that, but ultimately my bet is that the kernel did not sanitize userland inputs very well.
I guess undocumented API call on account of it being unknown. Most of the known API calls would probably have been poked and p
Re: (Score:2)
x86 ASM is horrible on the eyes, so I don't blame you for not wanting to really look at it. Most of my disassembly experience hacking comes from PowerPC (I hack Wii games as a hobby). PowerPC ASM is very easy to read.
However, I would imagine that the exploit should be pretty easy to see from just an ASM dump; it's probably written in ASM as it is, because a compiler wouldn't write good shellcode. Exploits themselves are not terribly complicated, it's the rest of the Duqu architecture that layers the tric
Must say... (Score:2)
I'm impressed Microsoft even acknowledged it. Years ago they would have buried this news, claiming anyone reporting on it was aiding terrorists. I'm looking forward to the fix, when they roll it out in a couple of months.
Re: (Score:2)
Well, that can mean anything except one thing. Today isn't opposite day.
Re:Must say... (Score:5, Insightful)
I have actually been pretty impressed by the shift in Microsoft's attitude regarding malware in recent years. Not only are vulnerabilities handled more transparently (though, I suspect, not as transparently as they could be), but they've taken an aggressive stance in going after those like botnet providers who are exploiting the exploits. Seems like they finally woke up to the fact that vulnerabilities actually detract from the value of their product.
Re: (Score:2)
And? (Score:1, Troll)
I'm sorry, but anyone that lets their Windows / internal servers be contacted by arbitrary packets from the Internet, or their systems allow execution by ordinary users of (at the very minimum, unscanned) email attachments, deserves everything they get.
This isn't news now and wasn't back 20 years ago. If you have to do more than just in a "just-in-case" firewall rule into your network equipment that automatically blocks this particular attack from local users (and which should be impossible to execute dire
Re:And? (Score:5, Insightful)
You did read the story correctly - right?
You realise its an 0-day unknown exploit. (The user level is right, absolutly - users should be user class, not admins - but its a kernel vuln, thats the point sometimes.)
You realise that gateway scanning can't and likely won't protect you from *unknown* threat vectors - right? The same applies across all the tooling (anti virus/hips/dats/defs) you quite clearly have got far too comfortable in believing in - depsite masses of evidence you need to rethink how you see this.
When the word doc 'executes' and grabs stuff over simple port 80 - all your *I block IRC clever dick stupidity* comes undone.
STOP thinking you have this all covered. You don't. The game has changed, and its tick - tock in the security area.
Re: (Score:2)
* golf clap *
Re: (Score:2)
Re:And? (Score:4, Informative)
You understand what a zero-day is right? Scanning the attachment would have done exactly nothing useful, and have given you a false sense of security on top of it!
Re: (Score:2)
Yea, and firewalling SMTP is a good way to stop you getting any mail.
Re: (Score:2)
I'm probably wrong, but I'd just assume that any modern malware would reach out from the infected machine to hit port 80 on some botnet controller machine. If your goal is to infect vast quantities of end-user PCs, you can bet almost all of them get through to port 80, even if just about everything else is blocked.
Re: (Score:3)
"Next you'll be telling me that I shouldn't let filesharing ports open to the world."
You shouldn't let filesharing ports open to the world.
HTH!
Re: (Score:2)
Clearly, you didn't read the article. The document attachment won't trigger your scanner, because it exploits an unpublicized kernel vulnerability. Because it's a kernel vulnerability, it's quite unlikely privilege separation will help you. So unless you forbid people to get any and all .doc/.docx files from any source, you are vulnerable to something like this.
So ... you do block all possible access to .docx files, right? Or maybe you need to realize that your 20 year old security rules that aren't 20 year
Re: (Score:2)
Re: (Score:2)
Because it's a kernel vulnerability, it's quite unlikely privilege separation will help you.
Im not seeing why it follows that kernel vulns do not require root to do their worst. The kernel interacts with userland as much as anything else, right?
Re: (Score:1)
If you *need* a firewall for security on your border you are doing it wrong.
Re: (Score:2)
If you don't think you need a firewall on your boarder and you don't have one any way you are doing it wrong. Defense in depth is the only thing that works, think about security at every layer.
Re: (Score:2)
Borg Bill is gone! (Score:1, Interesting)
Re: (Score:2)
No, Borg Bill should have been retired long long ago, but I disagree with what has replaced it.
Instead what I would like to see is a dancing monkey throwing chairs.
Re: (Score:2)
Never have I agreed more with a /. comment. Give me chair throwing monkey now!
remote code execution? (Score:1)
HOW the HELL (Score:3, Interesting)
do you have a kernel security bug in a word processor?
Normally I'd be exaggerating with a statement like this, but not this time I think: "only with Microsoft..." Every time I see something like this I can't help but think they can't possibly pull off something stupider. And yet somehow they just keep doing it.
Re: (Score:2, Funny)
do you have a kernel security bug in a word processor?
It's called "innovation". Microsoft has it, other companies and groups don't. While Microsoft has been busily advancing the security flaw sciences over the life of the company, the Linux and *BSD teams still consider it a major breakthrough worth front-page news whenever they develop a rare, very-special-case privilege escalation bug under certain kernel options (and only if you made stupid decisions in your other programs). And while Apple is still struggling to come up with ways to relinquish root on t
Re:HOW the HELL (Score:5, Informative)
Everything, eventually, calls kernel APIs, or it wouldn't be able to DO anything. The kernel is the only way you're going to access the file system, the hardware, etc. It would be a pretty sorry-assed word processor that couldn't save files.
The selection of Word as an attack vector was probably influenced by a combination of...
Re: (Score:2)
Yea, during year 2006, Office in fact was a big target of zero-day attacks [zdnet.com], forcing MS to released Office 2003 SP3 in Sept 2007, and also MOICE around the same time which converts files to OOXML in a sandbox before opening it. Later MS introduced Office File Protection in Office 2010 and later backported this to 2003/2007 which validates Office binary formats before opening it.
Re: (Score:3, Informative)
You simply do not have any idea how software works, which is ironic considering you're calling them stupid. Please realize that ALL IO, be it console, gui or file goes through the kernel right?
Your super leet little Linux box works the same way.
All apps access the kernel API in order to function. Just starting a process is an API call. To actually do anything useful on a computer, you're talking to the kernel, its what arbitrates between all of your apps. Yes, you may have a window manager doing the lif
Re: (Score:2)
In Linux, a kernel exploit from an application is also known as a "priviledge escalation" bug. Basically, a non-root user exploits the kernel in some way and gets root priviledges.
And yes, there have been many of those - usually some combination of oddball flags and little used options leading to an overflow.
And no, forcing the user to do the escalation for you don't count.
Re: (Score:2)
So those WinNuke etc network-based attacks are known as "privilege escalation"? In school we were taught that those were categorized as DoS, not escalation.
Re: (Score:3)
Another attack vector is plug-and-play drivers. For instance, the PS3 jailbreak exploited the USB driver. That's not coming from userland.
You don't (Score:2)
You don't have a kernel security bug in the word processor, you have it in the kernel.
The word processor makes kernel calls all the time; usually wrapped in crt.dll and cpp.dll calls but it's kernel calls in the end.
Opening a file and locking a file requires a kernel call.
Re: (Score:2)
so it's (A) a kernel bug with a kernel API, and (B) an application bug that passes the exploit on to the kernel? So it's not one bug, but two, one in the kernel and one in the app?
Re: (Score:2)
No app bug needed, most likely. I have no idea what the bug is, but it could be something like trying to save a file with a really creative filename, or otherwise coercing Word into calling whatever kernel API with your exploitive string, which is just normal data in the document from Word's point of view.
It's really not the apps job to police the kernel APIs - they had damn well better sanitize their own inputs (and normally do, of course).
Re: (Score:2)
Just like all those SQL-using web apps. that's been such an effective solution there, leaving security in the hands of the application developers.
Re: (Score:2)
Different worlds. I've never heard of a SQL-injection attack that worked with stored procedures, which is the better analogy here. If you're not religiously checking your inputs for validity, kernel programming is not the career for you.
There is already a fix out: (Score:1)
Re:There is already a fix out: (Score:4, Informative)
wipe your disk and reinstall anything but Windows.
FTFY
Re: (Score:2)
This just in-- OSX and Linux have no kernel bugs.
Except for the ones used to pwn them every year at pwn2own, of course.
Legally Responsible Entity? (Score:2)
So your company lost all its marketing, production & engineering documents for your trade secret widgets & it was due to a Microsoft bug.
Is Microsoft responsible for allowing a Word condition allowing executables in or the Windows OS for having holes?
Or is your company responsible for the total loss of its trade secret intellectual property?
Now who do the aggrieved shareholders sue?
Re: (Score:2)
New ECMA compatabiliy (Score:2)
Fitting fortune (Score:2)
I saw this next to the story:
It is important to note that probably no large operating system using current
design technology can withstand a determined and well-coordinated attack,
and that most such documented penetrations have been remarkably easy.
-- B. Hebbard, "A Penetration Analysis of the Michigan Terminal System",
Operating Systems Review, Vol. 14, No. 1, June 1980, pp. 7-20
Re: (Score:1, Insightful)
Re: (Score:1)
Re: (Score:2)
I hope that was sarcasm.
Re: (Score:1)
Re: (Score:2)
I think the better question is why does it have to be word, as opposed to any other user space unprivileged process. My guess would be because of all the macros/scripting and other bad ideas in word.
Re: (Score:1)
Re: (Score:2)
Fortuantelty, all that scripting stuff is off by default in Office now. Unfortunatly, there are still companies that use the scripting nonsense (especially in Excel), so those users are used to clicking OK on the "enable scripting" pop-up.
Re: (Score:2)
Because of binary file formats, binary fonts, etc. All data is just data, including code. A is the same as \x41 which is the op code for INC EAX, for example. That's effectively a NOP as far as shell code is concerned, though. Others do other things, of course. It's the same reason you can do exploits in PDF or other file format attacks.
Re: (Score:2)
Re: (Score:2, Insightful)
This is old news. Microsoft Office was probably the largest vector for computer virus infections in the mid 90s. VBA means that opening your document can pretty much do anything since it can hook into Win32 and 99% of users ran as administrators.
Nowadays, Windows users aren't admins by default, and there are some protections to prevent macros from being run without your permission, but all that stuff is still in there. Office has always been a de facto part of the OS because the only way Microsoft could
Re:Word document?! (Score:5, Insightful)
This kind of advice is classic. Its also pointless.
This kind of attack 'comes' from people or sources you know (Most users are not going to check full headers) - and its spear fishing in nature - so its documents that look viable and realistic.
This is standard stuff, not rocket science sadly. So nominal 'don't open from unknown senders' advice is pointless, worthless and about 4 years out of date.
You can even forget about forging headers. We're well past that. They can and will use the machine of the person you expect to hear from when sending (this requires some access into the structure to do, but thats nothing unusual today in infrastructure that is too lose/insecure).
The number of breaches is growing, the exploits are growing, and stuff like AV is having a higher percentage of failure in dealing with viruses/threats. The cyber 'threat' isn't just real. Its wide and deep, and to be honest, I'm not seeing any viable proper response to it at all. Most attempts to resolve it are akin to sticky plasters over gaping wounds, and the whole landscape tends to be getting worse as time goes by.
And thats before you really face up to stux and its game change nature. Now its not just PCs/windows that you have to watch. And thats a whole new ballgame.
Re: (Score:2)
The number of breaches is growing, the exploits are growing, and stuff like AV is having a higher percentage of failure in dealing with viruses/threats. The cyber 'threat' isn't just real. Its wide and deep, and to be honest, I'm not seeing any viable proper response to it at all. Most attempts to resolve it are akin to sticky plasters over gaping wounds, and the whole landscape tends to be getting worse as time goes by.
The only good answer (today) to rootkits is host-based scanning. Do everything on VMs, and do your AV from the host. Eventually that too will fall, but so far there aren't any credible "VM escape" attacks (there are some interesting beginnings), so you can keep the host safe, and a rootkit on the guest should present no real obstacle to the host. Sadly, there's not much to choose from to scan from a thin hypervisor yet.
Eventually, the only good answer will be to cryptographically lock down the host/hypev
Re: (Score:1)
Re: (Score:2)
Someone should mod you into oblivion for posting a PCWorld ad for Symantec, because that's all that article is. It even tells people to not only just install anti-malware, but to install Norton, and does not mention any other security companies at all.
--
BMO
PC World Bogosity (Score:2)
Based on its contents, that article was written sometime late 2001, but nowhere does PCW show any indication of its original publication date! Now that is true bogosity in action.
Re: (Score:2)
I think you should take your uptight ass for a nice long walk, off of a very short pier. Some of you people seem to have learned nothing in school, except spelling and grammar. It was the only place where you ever earned any praise. Since you are in no way superior to anyone else in any other field, you feel the need to make your inane grammar nazi posts here, there, everywhere.
Sux2bU, huh?
Re:Word document?! (Score:5, Insightful)
>Once again, don't open email attachments from unknown senders.
>unknown senders
If I was spear phishing, it wouldn't be from an "unknown sender" - it would be "from" "someone within the company" and it would look official and it would be mandatory to read.
For example, a "message from the COO" and the From: being from the COO's address. This is typically public knowledge or it can be gotten with social engineering. Once that's done, all bets are off because lower level employees /on pain of being fired/ are not going to ignore the email, and thus open the Word attachment.
The "From:" header can be anything, Anon, and it can be trivially set.
Go ahead, blame the victim. It doesn't make you any less of a douche.
--
BMO
Ooh! I have a solution for this one! (Score:2)
Instead of using email attachments, make it company policy to drop the attachments on a network drive, and instead share intranet links.
Anyone who spear phishes with attachments will fail. Now they will need intranet access, which can be significantly harder to acquire.
Re: (Score:2)
This works well, right up until the point where you need an attachment from someone outside the company.
Say... the latest revision to a requirements doc being sent back and forth between a client and a vendor...
Re: (Score:2)
Give the outside consultant VPN access to a restricted share.
Re: (Score:2)
Plus, God knows, news from higher-ups never comes in an email itself. Instead, we get emails from the CEO's secretary that say "Please read the attached message from the CEO." I've gotten plenty, so yeah, if I got one, I'd open it. I might know it's a fake if there were grammatical errors or if the secretary's name (which I happen to know) wasn't on there, but otherwise, yeah, it wouldn't be unusual at all.
Re: (Score:2)
AHHHH-HAA-HAAA!
I don't read much of anything in my inbasket. I guess that makes me a high level employee?
COO: Did you read my email?
Me: Well, hell no! I'm to busy to read mail.
COO: Well, it said you'd be fired if you didn't read it.
Me: Cool. Six months paid vacation, courtesy of the Employment Commission!
COO: To hell with that, I have some shit jobs that need to be done before you go anywhere.
Me: Well, Fuck you very much, Sir!
Re: (Score:2)
You know, I'm a linux fanatic and a security freak, but you, sir, are an asshole.
--
BMO
Re: (Score:2)
Joe Employee does not maintain his workstation and is not responsible for it. Blaming Joe Employee for opening an attachment with a zero-day exploit from "The COO" is being an asshole.
It's not ad-hominem if the person really is an asshole.
You're an asshole. Deal with it.
--
BMO
Re: (Score:2)
You expect Joe Employee to be an expert in IT.
Right off the bat "Should be smart enough to configure Word to not execute attachments"
No, this is the IT department's responsibility.
I'm not going to read any more because your argument is full not doing your job if you are an actual IT support person.
Have a great day.
--
BMO
Re: (Score:1)
Once again, don't open email attachments from unknown senders.
Since many web browsers are so helpful nowadays, you don't need to run any executables or open any attachments anymore. Browsers will usually help you by opening malware-ridden PDFs, Flash objects, as well as DOC files. You will not even know they were opened, since malware does not want to be loaded in the open and gets executed in a hidden windows or javascript objects.
Re: (Score:2)
SOPHOS
Free Trials Security News/Trends
Stopping Fake Antivirus
How to keep scareware off your network
Download now.
I found that in my inbox a short while ago. At the time, the irony hit me like a sledgehammer - Sophos wants to make me aware of fake AV, Sophos should be warning me against downloading and installing random shit from the internet - so they invite me to download some random shit from the internet which may or may not be a legitimate random shit. Hmmmm. Yeah - I'l
Re: (Score:2)
It would be glorious if that were a phishing attack.
"Your OC has spyware, click here"
Becomes
"Your network has users vulnerable to spyware phishing, click here"
And of course people would fall for it.
Re: (Score:3)
so explain to me how Apple doesn't do any of these things? you realize that for a long time now the main method of Jailbreaking their phones has been a PDF exploit that allows you to root the device.. not only is it documented and in actvice use, but it has been there for years now, and they still have not fixed it.
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
The most secure operating system in the world is no match for a user with the root password.
SE Linux does a good job of addressing this - of course it's not perfect, and chance are this particular strategy would work even in SE Linux. Note that the user doesn't need the root password for this one. Yuck.
Re: (Score:2)
Wait, what does the OS have to do with the mail client, or with what you can embed into what documents? I mean, if you want to discuss awful clients, we could talk about Mac Mail, or I could simply remind you that Outlook and Word are both available for OSX too and hardly count as MS OS features.
As for "random native code on the internet", Im pretty sure Safari et al support NPAPI plugins, which are essentially the same thing, and perhaps a little easier to install than an ActiveX program in IE9.
The reason is because of crap that listens to undocumented TCP/IP ports, onto which an single UDP packet can take over and start spewing itself all over the internet.
If you wan