Windows Zero-Day Exploit Linked to Duqu Worm

A zero-day vulnerability discovered on Tuesday by Microsoft is being targeted by attackers as an open door to spread the Duqu malware.

While Microsoft has given little in the way of information, it sent the following Twitter message on Tuesday morning: "We are working to address a vulnerability believed to be connected to the Duqu malware."

The vulnerability appears to be a hole associated with the Windows shell code that is exploited by the Duqu malware, which installs itself by using files stored in a Microsoft Word document, according to Symantec's description (PDF). The Word document is sent to system users, who unintentionally initiate the malware dispersal after opening an attached document.

Little is known about the motivation of the attackers using Duqu, except that Duqu appears to target industrial control systems for information stealing. Symantec disclosed the malware newcomer last month and said it was a close relative to the Stuxnet worm due to the way it operates.

"The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered," wrote Symantec in a blog post. "Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party."

Duqu's goal appears to be data gathering, whereas Stuxnet was actually used to disrupt  process control systems, specifically those used in Iran's nuclear reactor program. This difference appears to be why Symantec calls Duqu a "precursor" to Stuxnet.

While Symantec sounded the warning call about the new Trojan, Microsoft remained mum about it publicly until this week's tweet. Microsoft said it is working on a fix for the zero-day exploit but didn't give any indication on whether it would be ready for next week's Patch Tuesday release.

Microsoft may not think there's a huge amount of urgency to rush out a fix. A report last month by Microsoft downplayed the threat of zero-day exploits in general. In that report, Microsoft documented that only 0.12 percent of all software exploits in the first half of the year were due to zero-day holes. It's also thought that that Duqu doesn't self-replicate and that the number of infected systems has been small so far.


About the Author

Chris Paoli is the site producer for and


  • Microsoft Starting To Roll Out New Excel Connected Data Types

    Microsoft on Thursday announced some Excel and Power BI enhancements that add "connected data types" on top of the standard strings and numbers options.

  • Windows 10 Users Getting New Process for Finding Optional Driver Updates

    Accessing Windows 10 drivers classified as "optional updates" will be more of a manual seek-and-install type of experience, starting on Nov. 5, 2020, Microsoft explained in a Wednesday announcement.

  • Microsoft Changes Privacy Platform Name to SmartNoise

    Microsoft Research has changed the name of its "differential privacy" platform from "WhiteNoise" to "SmartNoise," according to a Wednesday announcement.

  • Why Restarting a Failed SCVMM Job Might Be a Bad Idea

    Occasionally, restarting a failed System Center Virtual Machine Manager job can leave your virtualization infrastructure in an unknown state. Here's how to avoid that.

comments powered by Disqus