June 24, 2019

Light Patch Tuesday Ahead With No Fix For Duqu TrueType Font Vulnerability

(LiveHacking.Com) – Microsoft has published its advance notification of the security bulletins that Microsoft is intending to release for November’s Patch Tuesday (November 8, 2011).

Microsoft will issue four bulletins: one for a ‘Critical’ remote code execution vulnerability, two ‘Important’ fixes for remote code execution and elevation of privilege flaws and a ‘Moderate’ denial-of-service vulnerability.

The ‘Critical’ bulletin affects Windows 7, Vista, Server 2008 and Server 2008 R2 but not XP and Server 2003. This probably means that the flaw is in newer functionality which isn’t included XP or Server 2003. In fact, only one of the four bulletins affects XP and Windows Server 2003. The other three are only found in Windows Vista or above.

Microsoft have already said that a fix for the Windows’ TrueType font parsing engine vulnerability, that is used by the Duqu malware, will not be ready for this month’s bulletin release:

Additionally, our engineering teams determined the root cause of this vulnerability, and we are working to produce a high-quality security update to address it. At this time, we plan to release the security update through our security bulletin process, although it will not be ready for this month’s bulletin release.

Microsoft Releases Security Advisory And ‘Fix it’ to Combat Duqu

(LiveHacking.Com) – It was revealed a couple of days ago that the new Duqu malware (which many see as related to the infamous Stuxnet trojan) spreads via a zero day vulnerability in the Windows kernel. Microsoft have now issued a security advisory and “fix it” workaround.

Microsoft has revealed in the advisory that the problem is with the Windows’ TrueType font parsing engine. An attacker who exploits this vulnerability can run their own code in kernel mode and then proceed, unhindered to  install programs; modify data; or create new accounts.

The vulnerability is in every supported version of Windows including the desktop versions (XP, Vista and Windows 7) along with the server variants (Windows Server 2003 and Windows Server 2008). The vulnerability affects both 32 bit and 64 bits systems.

The vulnerability can be exploited in multiple ways including  providing documents or convincing users to visit a Web page that embed specially crafted TrueType fonts. The vulnerability is caused when a Windows kernel-mode driver fails to properly handle the TrueType font type.

Workaround

A temporary workaround is to block access to t2embed.dll. Blocking access to this dll does not correct the underlying issue but it will help block known attack vectors before Microsoft issue a security update.

The security advisory provides a workaround that can be applied to any Windows system. To make it easy for users to install, Microsoft has released a Fix it that will allow one-click installation of the workaround and an easy way for enterprises to deploy.

No fix for November’s Patch Tuesday

Microsoft have said that a fix for this vulnerability will not be ready for this month’s bulletin release:

Additionally, our engineering teams determined the root cause of this vulnerability, and we are working to produce a high-quality security update to address it. At this time, we plan to release the security update through our security bulletin process, although it will not be ready for this month’s bulletin release.

Duqu Spreads Using Windows Zero Day Vulnerability

(LiveHacking.Com) – It has been discovered that the new Duqu trojan (which is thought to be related to Stuxnet) infects PCs by exploiting a zero day Windows kernel vulnerability via a specially crafted Microsoft Word file.

Duqu, which was spotted in the wild a little under two weeks ago, has parts which are nearly identical to that of Stuxnet but the payload carried by the worm is not intended to sabotage industrial control systems, instead it grants general remote access to a remote command-and-control (C&C) server.

Although the analysis of the worm shows no code related to industrial control systems, the executables have been found in organizations involved in the manufacturing of industrial control systems.

It is important to underline that the vulnerability used by Duqu is in Windows itself and not Word. This means that this flaw could be exploited through other delivery mechanisms.

“We are working diligently to address this issue and will release a security update for customers,” Microsoft said on Tuesday in a short twitter statement.

Explotation of zero-day vulnerabilities in Windows by malware programs are not that common. Microsoft’s recent Security Intelligence Report (SIR) showed that none of the malware infections cleaned by the MSRT (Malicious Software Removal Tool) used zero-day exploits.

Duqu, Son of Stuxnet, Targets European Industrial Control Systems

(LiveHacking.Com) – Details are emerging about a new worm which seems to be based on Stuxnet, the worm that was allegedly used by either Israel or the USA to attack Iran’s nuclear research.

According to Symantec the new worm, which has been dubbed Duqu because it creates files with the prefix “~DQ”, has parts which are nearly identical to that of Stuxnet, but with a completely different purpose.

Duqu shares a large proportion of its code with Stuxnet but the payload carried by the worm is not intended to sabotage an industrial control system, instead it grants general remote access  to a remote command-and-control (C&C) server. What this shows is that the writers of Duqu have access to the Stuxnet source code and not just its binaries.

Although the analysis of the worm  shows no code related to industrial control systems,  the executables have been found in  organizations involved in the manufacturing of industrial control systems.

It is possible that this is a precursor to a future Stuxnet-like attack:

The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered. Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.

This does now question the almost universal belief that Stuxnet was either written by Israel or the USA as either of these two countries launching some kind of cyber attack on European companies is almost unthinkable due to the amount of political damage that would be done.