munkery

macrumors 68020
Original poster
Dec 18, 2006
2,217
1
A new worm similar to and possibly based on Stuxnet's source code is targeting Windows systems used in industrial settings.

http://www.symantec.com/connect/w32_duqu_precursor_next_stuxnet

http://www.symantec.com/content/en/...he_precursor_to_the_next_stuxnet_research.pdf

The installation vector is unknown.

It is possible that it leverages a local privilege escalation zero day.

Screen Shot 2011-10-21 at 12.23.33 PM.png
 

munkery

macrumors 68020
Original poster
Dec 18, 2006
2,217
1
A new worm similar to and possibly based on Stuxnet's source code is targeting Windows systems used in industrial settings.

http://www.symantec.com/connect/w32_duqu_precursor_next_stuxnet

http://www.symantec.com/content/en/...he_precursor_to_the_next_stuxnet_research.pdf

The installation vector is unknown.

It is possible that it leverages a local privilege escalation zero day.

It has been confirmed that Duqu utilizes a local privilege escalation vulnerability to bypass discretionary access controls to install this malware at the system-level without prompting the user during installation.

http://www.theregister.co.uk/2011/11/01/duqu_exploits_windows_zero_day/

This means that this malware has access to even protected keystrokes, such as those related to security sensitive logins and other protected data entry.

The vulnerability is a zero day in the Windows kernel. It is presently still unpatched but given the severity of the threat will most likely be fixed quickly.

No workaround to mitigate the issue until a patch is ready has been provided by Microsoft.
 
Last edited:

munkery

macrumors 68020
Original poster
Dec 18, 2006
2,217
1
Vulnerability in Win32k.sys allows arbitrary code execution with kernel-mode privileges via the web browser in Windows 7. -> http://www.theregister.co.uk/2011/12/21/win_7_bug_crash_risk/

This vulnerability would allow a sandbox escape as well as protected storage and protected data entry to be compromised. -> http://secunia.com/advisories/47237

Successful exploitation may allow execution of arbitrary code with kernel-mode privileges.

This vulnerability is not isolated to Safari running in Windows 7. -> http://pastebin.com/XTWnLF3p

What this means is that *any* client, local or remote, that does skinning of the controls (i.e.: almost all of them -- even a button on a flash PDF) could result in a NineGrid transform that hits this bug. It's not at all specific to WebKit.

The vulnerability has been known to manifest in Firefox since 2005. -> https://bugzilla.mozilla.org/show_bug.cgi?id=320430
 

munkery

macrumors 68020
Original poster
Dec 18, 2006
2,217
1
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.