For the last several weeks, the Duqu virus has been alive in the wild. While there had been some speculation as to how it infects systems, Microsoft has now admitted that a zero day flaw in Windows is partially to blame.
In a security advisory issued late Thursday, Microsoft disclosed a previously un-reported Windows flaw. The flaw attacks the TrueType font parsing engine Win32k component.
"An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode," Microsoft warned. "The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
The Duqu malware was first identified on October 19 and has been connected by security researcher to the Stuxnet virus that hit Iran in 2010. F-Secure security researcher, Mikko Hyponnen recently said that Duqu shares source code with Stuxnet. Hyponnen also sees Duqu as being a pre-cursor to a new Stuxnet-type attack where Duqu is the data collection and target enumeration phase.
Duqu is already infecting machines worldwide. According to Symantec, six organizations in eight countries have confirmed Duqu infections. Microsoft noted in its advisory that they are aware of targeted attacks, however overall they see low customer impact at this time.
Microsoft has indentified at least one important mitigating factor which may help to reduce risk, as well.
"The vulnerability cannot be exploited automatically through e-mail," Microsoft stated. "For an attack to be successful, a user must open an attachment that is sent in an e-mail message."
To fix the flaw, Microsoft has provided a 'Fix it' tool as an immediate workaround to help mitigate the risk of the TrueType font parsing engine. Microsoft has also indicated that they may be providing a security patch update to all of their customers.
Additionally, Microsoft has provide detailed information to participants in the Microsoft Active Protections Program (MAPP). MAPP partners include antivirus and network security firms that can now provide their respective customers with rules and signature updates to protect against the flaw.
"Given our ability to detect exploit attempts for this issue, we are able to closely monitor the threat landscape and will notify customers if we see any indication of increased risk," Jerry Bryant, group manager, Response Communications in the Trustworthy Computing Group at Microsoft wrote in a blog post. Bryant noted that currently Microsoft's view is that the risk is low, but that could change.
"We encourage customers to either apply the workaround or ensure their antimalware vendor has added new signatures based on the information we’ve provided them to ensure protections are in place for this issue," Bryant said.