Microsoft has posted a security advisory 2639658 to address the recently disclosed Windows kernel vulnerability (CVE-2011-3402) exploited by the Duqu malware.
Microsoft has determined the flaw is in the processing of embedded True Type Fonts (TTFs). According to Microsoft:
"The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
That's a pretty serious bug. In the terms security professionals usually use that means it has the ability for remote code execution (RCE) and elevation of privilege (EoP).
Microsoft is working diligently to provide a patch, but it is unlikely we will see it in this Tuesday's update from the software giant. They are simply committing to providing a quality fix whether that is in an out-of-cycle update or in the December Patch Tuesday.
Microsoft has offered a FixIt download tool that will disable support for embedded TTFs to provide protection against the flaw.
The problem with that is it will prevent any applications that rely on embedded TTFs from rendering properly. This is a common practice in Microsoft Office documents, browsers and document viewers.
I expect Microsoft won't waste too much time getting a fix out for this one, and the risk of being exploited through this bug is extremely low for most organizations.
As SophosLabs further analyzes this threat we will post updates here on Naked Security.
Follow @chetwisniewski
Why is it always, "Microsoft have" instead of "Microsoft HAS" like the rest of Microsoft's singular tense?! Can't you check your English grammar right?!
Thanks, sorry about that. Late nights lead to mistakes.
Fixed :)
Hey Debs...are you American or European?
Have or has... whatever it seems its not a mistake in some grammar rules...check YOUR english
btw..is it really the only thing you see on this article? O.o
I'm trying to reconcile how on one hand we call this a pretty serious bug, but on the other say the risk is very low. I understand that the major antivirus vendors have definitions, but historically, major viruses have morphed into new variant very quickly.
I'm also trying to determine the impact of implementing the workaround. How widespread is the use of embedded truetype fonts? I have two laptops, one with the dll disabled and one without. I have been hitting bunches of website and loading Word and Powerpoint documents, side-by-side. I have yet to come across anything with noticeable font issues.
If the exploit becomes more widely known, it is a very serious risk. At this point only researchers and the attackers using it in a targeted manner are aware of it making the current risk to people who are not being targeted by these attackers quite low.
This is called a "Windows kernel vulnerability", but I was curious whether this vulnerability might also apply to True Type Fonts (TTFs) installed on a Mac. Apparently it doesn't...or at least Microsoft's security advisory page at http://support.microsoft.com/kb/2639658 (the same page linked in the article, above) makes no mention of applicability to TTFs on Mac OS X. In fact, the page contains the following "System Tip":
"This article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled."
Just checking. Can't be too careful.
Does (or will) Sophos detect this? We are using End Point Security (Latest/up to date)?
We detect all known components of the malware and are working with Microsoft to provide protection generically against the exploit.
Is this patch for all windows or only for windows7?
Thx
The patch will be for all supported versions, the workaround should work for any version.
Hello
is the MS patch /workaraound nessesary if Sophos is installed on the machine ?
Tnx
Marco