What to do about the ‘Duqu’ malware that can be sent via Word documents.
There’s plenty of noise but little hard facts so far about the Duqu malware attack.
At the time of writing all we know is:
- There’s a new Windows exploit that the ‘Duqu’ malware uses to take control of a computer.
- One method of spreading the Duqu nastie is a Word .doc file.
- Duqu uses a fault in the Windows font rendering engine to invade a computer. For techies it’s a problem in T2EMBED.DLL, the library of functions that lets Windows display TrueType fonts
- Some reports call this a MS Word security flaw but it’s not limited to Word documents. Any program that opens a document with True Type fonts could be infected with Duqu – that includes PDF files.
- Microsoft is working on a fully tested patch.
So what is the average Office user to do? “Run around, scream and shout” – hardly.
Microsoft has released an interim patch for the Duqu but all this does is disable T2EMBED.DLL leaving you without important True Type font support. Among other things, this temporary fix will stop you making PDF files from within Office.
The same page has a ‘reversal’ option to re-enable the DLL if you find you can’t live without it.
Duqu infected files haven’t spread too widely to date. If they do become more common Microsoft will hopefully release a proper patch quickly. Otherwise they’ll wait for the next scheduled monthly patch release.
It’s difficult to say definitely whether to apply the interim fix since the fix can cause more trouble than the relatively low risk of Duqu infection (based on current reports of public release). A more prudent strategy is probably to ensure your anti-virus software is up to date and rely on it to detect any infected files before they are opened.
Since nothing is publicly known about the exact .doc file and how it’s being distributed the standard cautious computing advice applies:
Be wary of any unexpected attachments from any source.
Keep your anti-virus software and Windows up to date
Check any incoming files for nasties – most AV software will do this automatically.
There are plenty of infected Office documents around, just waiting for an unprotected computer to infect courtesy of an unwary user. The ‘Duqu’ document is just the latest of many infestations.
When sending Office documents, try to use the ‘new’ Office 2007/2010 formats (.docx, xlsx pptx etc). Not only are the files smaller but it is much more difficult (can’t say impossible) to infect your computer from them. In this way receivers of documents from you can open them with less concern.
