A zero-day exploit in the Windows kernel taken advantage of by the Duqu worm is known by Microsoft, according to Symantec, and the company is “working diligently towards issuing a patch and advisory.”
As it turns out, the installer in question is a Word document that, once opened, executes some nasty code that installs Duqu, which is both a rootkit and backdoor worm. It is closely related, according to its profile, to the W32.Stuxnet worm.
According to CrySyS, the group that discovered the installer, inside of Duqu is a “dropper file with an MS 0-day kernel exploit inside.” In other words, Duqu can allow third parties to execute code on infected machines in a freshly discovered, and unprotected way. Here’s to hoping that Microsoft closes this door quickly.
Happily, Duqu is relatively easy to remove, and has not enjoyed wide distribution, limiting the total potential impact of the exploit. However, of course, other malware could pick up on the flaw itself, and use it in better distributed infections, so long as it remains open and unsolved by Microsoft. In a comment provided to WinRumors, Microsoft said that it is “working to address a vulnerability believed to be connected to the Duqu malware.” TNW Microsoft has requested comment from the company as to when a patch can be expected, and will update this post upon hearing back.
Interestingly, Duqu itself does not affect Windows 7, a small point, but one that suggests that the security investments that Microsoft put into the current edition of Windows are in fact paying dividends.
Update: Microsoft has provided TNW with the following statement: “Microsoft is working with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware. We will be providing a security update for customers through our update process.”