Microsoft Releases Partial Fix for Duqu Malware

Microsoft Campus Building in Hyderabad, India
Start your day with TPM.
Sign up for the Morning Memo newsletter

Well, it’s not a total fix, but Microsoft has finally posted a new security advisory informing users about the steps it is taking to fight Duqu, a new, troubling breed of malware that exploits a previously unknown vulnerability in Microsoft Word and has been compared by security experts to the infamous Stuxnet worm.

The company said that a full fix won’t be available until sometime after the company’s next regularly scheduled security release on November 8.

“Microsoft is currently working to develop a security update for Windows to address this vulnerability,” the new advisory reads, posted on Microsoft’s Technet security blog late Thursday. “Microsoft will release the security update once it has reached an appropriate level of quality for broad distribution. ”

“It’s important to note that the associated risk is minimal for the public,” said Jerry Bryant, group manager of response communications at Microsoft Trustworthy Computing, in statement emailed to TPM on Thursday night. “Microsoft and our industry partners encourage customers to ensure their antivirus software is up to date, as we continue to work toward a solution for this issue.”

In the meantime, the company said it has provided antivirus companies with detection tools and advises all users to update their antivirus software as soon as possible to check and see if they have the malware.

Infected users are then instructed to apply one of several “suggested workarounds,” which won’t eliminate the malware but should secure their systems from the Duqu attackers, who are currently able to obtain infected users’ passwords, and thus, basically any sensitive information, thanks to keystroke recorders and other “infostealers” contained in the malware.

Duqu is disguised as a Microsoft Word email attachment, which users must click on and open or download to have the virus installed.

However, as U.S. cybersecurity firm Symantec pointed out, the virus can also spread throughout a network once one computer is infected because the attackers will simply use the passwords to access other computers and install it manually.

Microsoft’s security advisory prescribes several different workarounds for blocking the attackers on various Windows OS versions. The workarounds can either be installed automatically via a Microsoft “Fix It” process, or users can enter commands into an administrative command prompt (the Microsoft command shell).

As Microsoft acknowledges, though, because the Duqu malware exploit relies specifically on a security flaw in the Microsoft Windows TrueType font parsing engine (that’s the engine that renders fonts on the screen and on printed pieces of paper the same way), the suggested workarounds will cause embedded fonts to be displayed incorrectly. Embedded fonts are those that retain their look wherever they appear, even if a user doesn’t have that specific font installed on his or her computer.

Embedded fonts are primarily used for web design applications, but Microsoft Word also supports font embedding. Here’s how to disable it and here’s a webpage on all you could ever hope to know about embedded fonts from Microsoft.

Security firms theorize the Duqu malware was created to conduct industrial espionage in the vein of the Stuxnet worm that infected Iranian nuclear facility computers last year and reportedly caused significant physical damage to centrifuges at Iran’s Natanz nuclear plant.

Duqu hasn’t done any physical damage like that, yet, instead recording user keystrokes and stealing passwords and other information from computers of up to six organizations in Iran and other Asian and European countries. But Symantec thinks that this was only a precursor to a Stuxnet-like attack.

And the threat is far from contained, as Bryant pointed out in Microsoft’s advisory, writing: “As previously stated, the risk for customers remains low. However, that is subject to change so we encourage customers to either apply the workaround or ensure their anti-malware vendor has added new signatures based on the information we’ve provided them to ensure protections are in place for this issue.”

Latest Idealab
Comments
Masthead Masthead
Founder & Editor-in-Chief:
Executive Editor:
Managing Editor:
Associate Editor:
Editor at Large:
General Counsel:
Publisher:
Head of Product:
Director of Technology:
Associate Publisher:
Front End Developer:
Senior Designer: