Duqu exploits same Windows font engine patched last month, Microsoft confirms
Offers automated tool to block access to TrueType embedded fonts while it works on patch
Computerworld - Microsoft on Thursday confirmed that the Windows kernel vulnerability exploited by the Duqu Trojan is within the TrueType parsing engine, the same component it last patched just last month.
In a security advisory published yesterday, Microsoft spelled out some information about the vulnerability and said it was working on a patch. The company did not set a timetable for releasing the fix, but did say that the patch would not appear as part of the batch it plans to ship next week.
"We plan to release the security update through our security bulletin process, although it will not be ready for this month's bulletin release," said Jerry Bryant, a group manager with Microsoft's Trustworthy Computing Group, in a blog post late Thursday.
Microsoft has slated a four-patch update for Nov. 8.
According to Symantec, which has been working with the Laboratory of Cryptography and Systems Security (Crysys) at Budapest University, Duqu infects Windows PCs using a malformed Word document that's delivered to victims as an email attachment. When victims open the attached document, the exploit is triggered, giving Duqu's installer the foothold it needs to install the Trojan.
Duqu has been characterized by Symantec and others as a possible precursor to the next Stuxnet, the ultra-sophisticated worm that last year was pegged as an attack tool aimed at Iran's nuclear program.
As expected, Microsoft classified the kernel vulnerability as an elevation of privilege bug, meaning that it can be used to provide attackers with rights on the targeted PC necessary to install and run software.
Microsoft patched the same part of the "Win32k.sys" kernel-mode device driver just last month, when it fixed a flaw in the TrueType parsing engine that could let hackers conduct denial-of-service attacks to cripple Windows PCs.
That patch was one of four that patched various kernel bugs included in the MS11-077 security update.
Prior to last month, the most recent update to the TrueType parsing engine within Win32k.sys was in June 2010, when Microsoft issued MS10-032 to fix a different elevation of privilege bug.
Microsoft has been extremely busy patching pieces of the Windows kernel this year.
So far during 2011, Microsoft has patched 56 different kernel vulnerabilities with updates issued in February, April, June, July, August and October. In April alone, the company fixed 30 bugs, then quashed 15 more in July.
In lieu of a fix, Microsoft told customers Thursday that they could defend their systems by blocking access to "t2embed.dll," the dynamic link library that handles embedded TrueType fonts.
The advisory offered command-prompt strings IT administrators can use to deny access to t2embed.dll, and links to one of Microsoft's usual "Fix-it" tools that automate the process of blocking or unblocking access to the library.
Blocking t2embed.dll, however, has side effects: Applications that rely on embedded fonts -- and those include not only Word but also many other programs, including browsers -- will not render text properly.
Microsoft hinted that it was unlikely to patch the latest kernel vulnerability with an emergency, or so-called "out-of-band," update unless the volume of attacks suddenly spikes.
"The risk for customers remains low," said Bryant. "[But] we are able to closely monitor the threat landscape and will notify customers if we see any indication of increased risk."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts