You may have heard recently about the Duqu malware, making the rounds. It appeared in the guise of a specially crafted Word document that, when opened, would compromise your Windows PC. It was all over the news last week.
This morning, I received one of those "you're not really on our mailing list, but it's not really spam" emails from Redmond Magazine, "the independent voice of the Microsoft IT community". It linked to their full article, but the email summary said:
The Duqu zero-day exploit has had Microsoft twisting, turning and churning for a solution. Duqu exploits a hole in the Windows kernel and lets hackers remotely access and control your unfixed computer.
That's until Microsoft came out with a workaround last week. The stopgap solution can protect the kernel with just a few lines of code and a one click-install. That's some pretty efficient code.(Emphasis mine)
Yes, that's some pretty efficient code, wrapping a fix into a one-click install.
I guess I'd be more impressed if I didn't know what allowed the Duqu exploit in the first place: Windows parses fonts in kernel mode. That's maybe not the best practice. Kind of blows your whole "pretty efficient code" out of the water with "spectacularly stupid security."
This, from the company who claimed in 2005 to be "investing heavily in security", focusing on the security pillars of:
- Fundamentals: provide a built-in level of safety and security, improvements to the security of software code through the Engineering Excellence initiative, and investments in technologies.
- Threat and vulnerability mitigation: industry-leading integrated security technologies, defense-in-depth protection.
- Identity and access control: technologies that verify user identity, control what resources users are allowed to access based on policy, allow management of users, and protect access to data.
I'd say this Duqu exploit demonstrates a failure on all three levels.