Get Exploited Like It's 1999

This week, Microsoft issued a workaround for a virulent new Trojan attack called Duqu. That's always a bad sign, suggesting that this attack is serious enough to warrant immediate attention even though a formal fix isn't yet available. Looking into Duqu, however, I'm struck most obviously by how basic an attack vector it uses: email-based attachments. What is this, 1999?

Duqu exploits a flaw in the way that Windows parses True Type fonts (speaking of the 1990s), and when successful, it can provide an open tunnel into your PC, allowing malicious hackers to run arbitrary code with full system privileges. This includes installing applications; viewing, changing, and deleting data; and creating new admin-level accounts. And it works on virtually all supported Windows versions, including Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2.

Hackers are actively using Duqu to attack PCs now, according to Microsoft, and the one widely known attack uses a maliciously crafted Microsoft Word document that's sent via email. Simply opening the Word document will start the attack. (Other document types could easily be infected with this Trojan, including Microsoft Excel spreadsheets and PDF files.)

To protect users in the short term, Microsoft has issued a workaround for Duqu, which is available as a Fix It For Me service from Microsoft's website.

Much has been made of Duqu's supposed heritage. According to security researchers who've studied Duqu, it almost certainly was made by the same Mad Hatters who created Stuxnet, the virus that was used to infiltrate and undermine the Iranian nuclear program. Many suspect that that particular attack was directed by, or made with the knowledge of, the United States government.

That's fascinating, of course. But let me get back to the core issue here, as I see it, which is that, 30 years into the PC revolution, human beings are still the weakest link in the entire system.

As I write this, Duqu can infect your PC only if you open a Word attachment that was sent via email. And this means that, despite all the technology we have to prevent bad things from happening to good computers, all it takes is a careless, clueless double-click to unleash hell. Still.

Microsoft has been working on this basic problem for ages, as have various security-related firms. Windows has been hardened over the years with technologies such as Smart Screen, anti-malware, Data Execution Protection, BitLocker and other forms of encryption, USB auto-run lockdown, and more. And yet none of this stuff apparently matters if users are willing to double-click an email attachment that might or might not appear to have come from someone they know.

Many US states enact a motorcycle helmet law that some find well-intentioned but contrary to deep-seated notions of self-determination. I think of this example as proof that you really can create laws against stupidity, and that saving people from their own bad decisions is sometimes a good idea. Likewise for PC security. All the technology in the world, and all the properly created policies, will come to naught if that weak link at the end of the chain – you, me – simply double-clicks that attachment.

That's amazing to me.

Before the Internet became the all-encompassing background to everything we do, these kinds of attacks were far more limited, but they were propagated to users' computers in a surprisingly similar manner, via floppy discs, perhaps from the local user group meeting or whatever. The fact that the Internet makes electronic attacks simpler isn't surprising. But the attacks themselves haven't really changed much at all.

This kind of attack set back Iran's nuclear program, for crying out loud. How can we expect Mabel in the corner office to not click on that attachment?

We can't. But we can prevent that code from working. And that's the type of deep-seated, fundamental change that might in fact require a completely new platform. You know, something like Windows 8. In Windows 8, we're getting integrated antivirus (finally) and, better still, a completely new runtime environment with sandboxed apps. Windows 8 won't prevent Duqu-type attacks, because that old Windows desktop and Win32 runtime are still available. But it's possible that ARM-based versions of Windows 8 won't be similarly bogged down by this legacy deadwood. And certainly, over time, the new WinRT runtime will mature and grow to utterly replace Win32 on modern PCs.

We'll see. Despite the complaints I've seen about the coming user experience in Windows 8, the low-level stuff might in fact end up being a much bigger deal. And when and if future Duqu-type attacks fail because of that change – saving Iranian nuclear scientists and US office workers alike – then perhaps we'll all look back with wistful smiles at the thought of how we used to do things.

(OK, I'm more cynical than that. It's far more likely that we'll simply suffer from new forms of attack.)
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.