Login

Please login to Techworld.com

Forgot password?
Need your new account confirmation email resent?
Forgot email?

Not a member yet?

Register for a Techworld Account and enjoy unlimited access to our extensive white paper library and exclusive Enterprise multi-user software trials. Account members can also comment on articles and access best practices guides.

Security

Top How-Tos / Advice articles

Microsoft unlikely to patch Duqu kernel bug next week

Expect a security advisory concerning sophisticated remote-access Trojan

By Gregg Keizer | Computerworld US | Published: 10:15, 02 November 2011

Microsoft will probably not patch the Windows kernel bug next week that the Duqu remote-access Trojan exploits to plant itself on targeted PCs, according to a leading researcher.

"Probably not," said Andrew Storms, director of security operations at nCircle Security, when asked what chance he gave Microsoft fixing the flaw on November 8, this month's regular Patch Tuesday.

"I think we'll see an advisory, but patching next week would really be pushing it for Microsoft," said Storms.

Trojan launched through Word

"If Microsoft had information about the vulnerability before this, it would have been faster either patching or with an advisory," said Storms. "They're in reaction mode now, and probably working up an advisory."

Storms took a stab at what the advisory will contain.

"They'll likely recommend filtering Word documents, and using tools to change older documents to the newer file format," said Storms.

According to Symantec, the Duqu samples it's acquired rely on a malformed Word document to launch the kernel exploit.

Duqu, which Symantec first publicised last month, was characterised by the security firm as a possible precursor to the next Stuxnet , the ultra-sophisticated worm that last year was pegged as an attack tool aimed at Iran's nuclear programme.

Some analysts, however, have disagreed, and have dismissed the idea that Duqu can be reliably linked to Stuxnet.

Today, Storms said that the hackers' exploit of the Windows kernel vulnerability reinforces the latter view.

Sophisticated attack

"They're using the kernel bug to deploy the Trojan," said Storms, pointing to Symantec's explanation and accompanying diagramme of Duqu's infection process. "That tells me Duqu may not be a very sophisticated attack."

Leveraging kernel vulnerabilities - which typically let attacks gain the rights necessary on the targeted PC to install further malware - is "pretty common," noted Storms.

Microsoft has patched scores of kernel vulnerabilities this year, including a whopping 30 in April 2011 alone.

Today, Microsoft said it's on the case.

"Microsoft is collaborating with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware," said Jerry Bryant of the Microsoft Trustworthy Computing group. "We are working diligently to address this issue and will release a security update for customers through our security bulletin process."

A Microsoft spokeswoman later declined to comment on when the company would patch the kernel vulnerability.

Send to a friend

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.