September 30, 2016

Microsoft Releases Security Advisory And ‘Fix it’ to Combat Duqu

(LiveHacking.Com) – It was revealed a couple of days ago that the new Duqu malware (which many see as related to the infamous Stuxnet trojan) spreads via a zero day vulnerability in the Windows kernel. Microsoft have now issued a security advisory and “fix it” workaround.

Microsoft has revealed in the advisory that the problem is with the Windows’ TrueType font parsing engine. An attacker who exploits this vulnerability can run their own code in kernel mode and then proceed, unhindered to  install programs; modify data; or create new accounts.

The vulnerability is in every supported version of Windows including the desktop versions (XP, Vista and Windows 7) along with the server variants (Windows Server 2003 and Windows Server 2008). The vulnerability affects both 32 bit and 64 bits systems.

The vulnerability can be exploited in multiple ways including  providing documents or convincing users to visit a Web page that embed specially crafted TrueType fonts. The vulnerability is caused when a Windows kernel-mode driver fails to properly handle the TrueType font type.

Workaround

A temporary workaround is to block access to t2embed.dll. Blocking access to this dll does not correct the underlying issue but it will help block known attack vectors before Microsoft issue a security update.

The security advisory provides a workaround that can be applied to any Windows system. To make it easy for users to install, Microsoft has released a Fix it that will allow one-click installation of the workaround and an easy way for enterprises to deploy.

No fix for November’s Patch Tuesday

Microsoft have said that a fix for this vulnerability will not be ready for this month’s bulletin release:

Additionally, our engineering teams determined the root cause of this vulnerability, and we are working to produce a high-quality security update to address it. At this time, we plan to release the security update through our security bulletin process, although it will not be ready for this month’s bulletin release.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks