Microsoft released a security advisory late Thursday with a workaround for the Windows zero-day vulnerability linked to the Duqu Trojan, but said a Duqu zero-day patch won’t be ready for next week’s Patch Tuesday release.
It is extremely important that when that patch comes out that every Windows user that has a vulnerable computer apply that patch as quickly as possible... This is not one to mess around with.
Andrew Brandt, Solera Networks
In the advisory, Microsoft said it is investigating a vulnerability in a Windows component, the Win32k TrueType font-parsing engine. Successful exploitation of the vulnerability, according to Microsoft, could allow an attacker to run arbitrary code in kernel mode and then install programs, alter or delete data, or create new accounts with full user rights. For an attack to succeed, the victim must open an email attachment.
“We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time,” the company said.
The advisory provides a workaround for the Duqu vulnerability, which affects virtually all actively supported versions of Windows. Microsoft released a “Fix it” program to provide easy installation of the workaround.
In a blog post, Jerry Bryant, group manager of response communications for Microsoft Trustworthy Computing, said Microsoft’s engineering teams have determined the root cause of the vulnerability and are working to “produce a high-quality security update to address it.” The update won’t be ready for this month’s bulletin release, he added, but declined to provide a timetable.
Microsoft also said it provided its Active Protections Program partners with details for building detection into their security products. Antimalware vendors will soon release new signatures, according to Microsoft, and encouraged customers to make sure to update their antivirus protection.
Earlier this week, security researchers said they detected an installer for Duqu, a Microsoft Word document that exploits a kernel-level Windows zero-day vulnerability.
According to security researchers, the Duqu Trojan contains some of the same source code used by the Stuxnet Trojan, which was designed to disrupt industrial processes. Duqu appears to have targeted industry equipment makers in order to collect information about their systems and other proprietary data. According to Symantec Corp., the number of confirmed Duqu infections is limited, with confirmed attacks in eight countries, including India and Iran.
Earlier in the day, security researchers said they didn’t expect Microsoft's November 2011 Patch Tuesday release to address the Duqu-related zero-day flaw due to the complexity of fixing the kernel-level vulnerability.
In its November 2011 Patch Tuesday Advance Notification issued Thursday, Microsoft said it planned to issue four security bulletins Nov. 8, fixing four Windows vulnerabilities. Only one of the bulletins slated for release is rated as "critical." Two are rated as "important" and the fourth is rated as "moderate."
Most of the bulletins apply to newer versions of Windows. The critical bulletin, which fixes a vulnerability that could lead to remote code injection, affects Vista, Windows 7 and Windows Server 2008 and Server 2008 R2. Only the third bulletin, which addresses vulnerabilities that could lead to elevation of privilege, also affects the older Windows XP and Server 2003.
The November 2011 Patch Tuesday will be light, especially for companies that haven’t yet switched to Windows 7, said Marcus J. Carey, security researcher at Boston-based vulnerability management company Rapid7 LLC. He said the nature of the Duqu-related flaw means Microsoft can’t rush a patch for it.
“It just takes a long time to fix kernel-level bugs,” he said. “The kernel is the core part of the operating system, so it’s a big deal when you have to fix those.”
Mike Geide, senior security researcher at Sunnyvale, Calif.-based Web security SaaS provider Zscaler Inc., also said fixing the kernel-level vulnerability is a complex process.
“Microsoft isn’t going to release a patch until after thorough testing to make sure it not only fixes the vulnerability but also that it doesn’t cause any problems in any of their operating systems,” he said. “There are quite a number of systems to do stress testing on.”
Noting the targeted nature of the Duqu attacks, Carey said average users aren’t going to be affected by the malware. At the same time, though, researchers and attackers will “be trying to uncover this bug until Microsoft patches it,” he added.
Andrew Brandt, director of threat research at South Jordan, Utah-based network security analytics provider Solera Networks Inc., said it will be critical that businesses and individual users apply the patch for the kernel-level zero-day vulnerability once Microsoft releases it.
“It is extremely important that when that patch comes out that every Windows user that has a vulnerable computer apply that patch as quickly as possible,” he said. “This is not one to mess around with for six months. … We know just how dangerous it is, and it’s already been used for some scary stuff.”
Once the details of the vulnerability are released, it will just be a matter of time before more malware that exploits it surfaces, he added. “The window of time between distribution of details and appearance of more malware that exploits the vulnerability is shorter and shorter. It’s gone from weeks to days to hours. … It will not just be Duqu in the long run that exploits it.”