Kaspersky Lab, a leading developer of secure content and threat management solutions, announces that its security solutions are now detecting the vulnerability that was used for distributing all known versions of the infamous Duqu Trojan. Kaspersky Lab’s experts have successfully implemented protection against Trojan.Win32.Duqu.a as well as other malicious programs exploiting the CVE-2011-3402 vulnerability.
The “zero-day” type of vulnerability in question was found in the Win32k TrueType font-parsing engine; as such, the vulnerability affects various office programs. For example, a specially crafted Microsoft Word document opened on a victim’s machine can be used to elevate privileges and then run arbitrary code.
More information about the vulnerability can be found on Microsoft’s website. Kaspersky Lab would like to thank Microsoft for providing it with certain technical details regarding the vulnerability, which helped speed up the process of detection. All Kaspersky Lab security solutions detect this vulnerability under the name Exploit.Win32.CVE-2011-3402.a as of November 6, 2011.
Meanwhile new information about Duqu, the recently discovered Trojan that has close ties to Stuxnet “industrial” malware, has emerged. Kaspersky Lab confirms that some of Duqu’s targets were hit as early as in April 2011, utilizing the abovementioned CVE-2011-3402 vulnerability. In the same month of April Iranian officials reported a cyber-attack carried out by malware called Stars. According to some reports, Stars could be an early version of Duqu. If these reports are true, this could mean that the main purpose of Duqu is conducting industrial espionage on Iran’s nuclear program.
In the meantime Microsoft has issued a temporary patch for the newly discovered vulnerability, with a permanent security fix to be distributed later. Kaspersky Lab’s products are now able to block all malicious programs using this type of vulnerability, preventing other cybercriminals from exploiting the serious zero-day security hole.