A new zero-day flaw has been discovered in Windows operating systems including Windows 7, Windows Vista and Windows XP. The exploit which has been named “Duqu” can silently pass over control from the users computer to a remote hacker. This exploit has been found inside Microsoft Word files. Microsoft have responded swiftly to this security risk after it was reported that computers in the UK,France, Iraq and Iran had already been infected by it.

According to security researchers at Symantec, the virus was sent to the victim computers in a Microsoft Word document attached to an email. Microsoft say that they’ve seen “low consumer impact” but urge users to install their temporary fix for the issue.

The worry is that an attacker who manages to successfully exploit this vulnerability would be able to run arbitrary code in kernel mode. This would then allow the attacker to install programs; view, change, or delete data; and even create new accounts with full user rights. Microsoft are expected to release a number of security updates as they do in their monthly cycle, but it’s not thought that this fix is included in that update. However Microsoft may offer the patch as an out of cycle update.

“Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”

Apparently this virus has changed form since it was first discovered. The first version of the virus connected with a server in India, but a more recent version tried to log on to a server in Belgium which has now been taken offline. This Duqu virus consists of a driver file, a dynamic linked library (DLL) containing many embedded files, and a configuration file. Those are then installed by an installer built into the code.

The reason Duqu is able to run is because it uses a valid digital certificate from a company based in Taiwan’s capital Taipei whose private “keys” for generating the certificate were stolen earlier this year.

So for now, until Microsoft releases an update to patch this security flaw, be extra careful when you open Word documents, especially ones you get from unfamiliar email addresses. I’d also recommend installing Microsoft’s temporary patch which you can find here