The attack bypasses all securitymechanism of windows (except if you have a good updated antivirus, Intrusion detection prevention on your network or your host and it is updated to stop this kind of attacks) and uses a bug in the registry to give the attacker the possibility to install any code on your machine with the privelege of the machine itself (god in fact).
It is one of the zeroday vulnerabilities that are being used by stuxnet but that wasn't patched (yet) by Microsoft. It wouldn't surprise me if they will get an automated workaround or patch out in the coming weeks.
There is a workaround but it is unofficial and it has not been tested yet (sophos)
There is one mitigation I discovered while researching this exploit. Unfortunately it is somewhat complicated. To prevent the flaw from being exploited you can perform the following actions:
- As an Administrator open Regedit and browse to HKEY_USERS[SID of each user account]EUDC
- Right-click EUDC and choose permissions
- Choose the user whose account you are modifying and select Advanced
- Select Add and then type in the user's name and click OK
- Click the Deny checkbox for Delete and Create Subkey
- Click all the OKs and Apply buttons to exit
The registry keys being changed by this mitigation should not impact a user's ability to use the system, but changing permissions related to Windows code page settings may cause problems with multilingual installations. In my testing it appears problem-free, but I have only had an hour or two to test. Use at your discretion.
The bad news is that not only can you use malware code to inject also this control on the targeted machine (if you can fool the antivirus if there is one in place) but you can also combine it with other non-patched attackroutes like CVE: 2010-3962 for Internet Explorer.
It could be nothing it could become big.
For all those under targeted attack or which are normal targets for such attacks, you better watch out for this one.