Microsoft announces workaround for the Duqu exploit

Filed Under: Featured, Malware, Microsoft, Vulnerability, Windows

Microsoft FixIt for Duqu vulnerabilityMicrosoft has posted a security advisory 2639658 to address the recently disclosed Windows kernel vulnerability (CVE-2011-3402) exploited by the Duqu malware.

Microsoft has determined the flaw is in the processing of embedded True Type Fonts (TTFs). According to Microsoft:

"The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

That's a pretty serious bug. In the terms security professionals usually use that means it has the ability for remote code execution (RCE) and elevation of privilege (EoP).

Microsoft is working diligently to provide a patch, but it is unlikely we will see it in this Tuesday's update from the software giant. They are simply committing to providing a quality fix whether that is in an out-of-cycle update or in the December Patch Tuesday.

Microsoft has offered a FixIt download tool that will disable support for embedded TTFs to provide protection against the flaw.

The problem with that is it will prevent any applications that rely on embedded TTFs from rendering properly. This is a common practice in Microsoft Office documents, browsers and document viewers.

I expect Microsoft won't waste too much time getting a fix out for this one, and the risk of being exploited through this bug is extremely low for most organizations.

As SophosLabs further analyzes this threat we will post updates here on Naked Security.

, , , , , , ,

You might like

11 Responses to Microsoft announces workaround for the Duqu exploit

  1. Deborah Lee Kearns · 1086 days ago

    Why is it always, "Microsoft have" instead of "Microsoft HAS" like the rest of Microsoft's singular tense?! Can't you check your English grammar right?!

    • Chester Wisniewski · 1085 days ago

      Thanks, sorry about that. Late nights lead to mistakes.

      Fixed :)

    • blablabla · 1085 days ago

      Hey Debs...are you American or European?
      Have or has... whatever it seems its not a mistake in some grammar rules...check YOUR english
      btw..is it really the only thing you see on this article? O.o

  2. John · 1085 days ago

    I'm trying to reconcile how on one hand we call this a pretty serious bug, but on the other say the risk is very low. I understand that the major antivirus vendors have definitions, but historically, major viruses have morphed into new variant very quickly.

    I'm also trying to determine the impact of implementing the workaround. How widespread is the use of embedded truetype fonts? I have two laptops, one with the dll disabled and one without. I have been hitting bunches of website and loading Word and Powerpoint documents, side-by-side. I have yet to come across anything with noticeable font issues.

    • Chester Wisniewski · 1077 days ago

      If the exploit becomes more widely known, it is a very serious risk. At this point only researchers and the attackers using it in a targeted manner are aware of it making the current risk to people who are not being targeted by these attackers quite low.

  3. Nigel · 1084 days ago

    This is called a "Windows kernel vulnerability", but I was curious whether this vulnerability might also apply to True Type Fonts (TTFs) installed on a Mac. Apparently it doesn't...or at least Microsoft's security advisory page at http://support.microsoft.com/kb/2639658 (the same page linked in the article, above) makes no mention of applicability to TTFs on Mac OS X. In fact, the page contains the following "System Tip":

    "This article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled."

    Just checking. Can't be too careful.

  4. Hank Arnold · 1084 days ago

    Does (or will) Sophos detect this? We are using End Point Security (Latest/up to date)?

    • Chester Wisniewski · 1077 days ago

      We detect all known components of the malware and are working with Microsoft to provide protection generically against the exploit.

  5. David · 1084 days ago

    Is this patch for all windows or only for windows7?
    Thx

    • Chester Wisniewski · 1077 days ago

      The patch will be for all supported versions, the workaround should work for any version.

  6. Marco · 1048 days ago

    Hello
    is the MS patch /workaraound nessesary if Sophos is installed on the machine ?

    Tnx
    Marco

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.