Read more:Microsoft has shipped an advisory to formally confirm the zero-day vulnerability used in the Duqu malware attack and is offering a temporary “fix-it” workaround to help Windows users block future attacks.
The vulnerability affects the Win32k TrueType font parsing engine and allows hackers to run arbitrary code in kernel mode, Microsoft said in its security advisory.
The company also confirmed my earlier report that this vulnerability will NOT be patched as part of this month’s Patch Tuesday bulletins.
The advisory includes a pre-patch workaround that can be applied to any Windows system.
To make it easy for customers to install, Microsoft released a fix-it that will allow one-click installation of the workaround and an easy way for enterprises to deploy. The one-click workaround can be found at the bottom of this KB article.
Microsoft explained that the Duqu malware exploit targets a problem in one of the T2EMBED.DLL, which called by the TrueType font parsing engine in certain circumstances. The workaround effectively denies access to T2EMBED.DLL, causing the exploit to fail.
Microsoft issues temporary 'fix-it' for Duqu zero-day | ZDNet
Temporary Fix KB Article.
http://support.microsoft.com/kb/2639658
Duqu: Status Updates Including Installer with Zero-Day Exploit FoundDuqu, which is believed to be linked to Stuxnet, is highly specialized Trojan capable of gathering intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party.
http://www.symantec.com/connect/w32-...ro-day-exploit
Here is a quote from the KB article.
This has always been good advice. Watch your e-mail and be sure it is safe before opening an attachment.The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must open an attachment that is sent in an e-mail message.
The Fix changes permissions on one DLL file and may block some software from functioning properly. Permissions can be restored if there are problems.
Jim
How does it bypass patch proection in kernal mode?
It doesn't, actually, at least not at first - it appears to exploit COM code in t2embed.dll (font embedding using OpenType embedding has been around and documented since Win98) that then allows the exploit to "take over" services.exe, which gives the attacker enough access to the system to do significant damage to it (as much as the SYSTEM account can, anyway), although it never breaches the kernel until it can load a forged root certificate that will allow it to appear to the system as legitimate code. To do this, it uses a forged/stolen digital certificate, which is part of the way it gains access to the system as trusted code, although once this certificate is revoked and the client machines pull new root certs (the folks who have turned this off have done themselves a disservice here....), it'll be harder for it to propogate. However, if it is re-released or finds a way to forge/steal other trusted certs from compromised machines, that won't help much long-term either. The only way to really fix this appears to be to modify how the OpenType font system works (and probably patch services.exe too). I think this might be why they aren't coming out with a patch this month - I'm guessing patching this flaw (which is really multiple flaws) will take some time and testing, because turning OpenType off in the OS (as you can see from the workarounds) is a very breaking change to a lot of apps.
It's probably worth noting that most up-to-date antivirus applications out there already catch this (as I've tested in a lab VM), but if a machine is already infected, or folks aren't updating the 30-day trial software, etc. that came with a machine and aren't protected, they could be at risk. This malware, like almost all others these days, really finds it's way in via the most vulnerable part of the system - the organic part.
After enabling Microsoft Fix it 50792, there have been reports of Microsoft updates KB 972270 (MS10-001: Vulnerability in the Embedded OpenType Font Engine could allow remote code execution) and KB 982132 (MS10-076: Vulnerability in the Embedded OpenType Font Engine could allow remote code execution) being repeatedly re-offered.
In the event you experience the same issue, after confirming in the update history that both updates are installed, I suggest that you enable the Fix it and then hide the updates when offered again.
To hide the updates, select the first update and then right-click the update and click "Hide Update." Repeat for the second update.
Just a quick reminder about:
"Description of how the Attachment Manager works in Microsoft Windows"
Description of how the Attachment Manager works in Microsoft Windows
Hotfixes available when applying Group Policies for the Attachment Manager in Windows 7:
Recommended Updates for Group Policy in Windows Client and Server Products
Last edited by NoN; 09 Nov 2011 at 19:47.
The choice is yours as to whether you wish to install the Fix it. If you do enable the Fix it, don't forget to run the disable prior to installing the update when it is released.
With safe surfing and updated A/V, the risk doesn't seem great. From the MSRC blog {Bold Added}:
To further protect customers, we provided our partners in the Microsoft Active Protections Program (MAPP) detailed information on how to build detection for their security products. This means that within hours, anti-malware firms will roll out new signatures that detect and block attempts to exploit this vulnerability. Therefore we encourage customers to ensure their antivirus software is up-to-date.
{Snip}
Finally, given our ability to detect exploit attempts for this issue, we are able to closely monitor the threat landscape and will notify customers if we see any indication of increased risk. As previously stated, the risk for customers remains low. However, that is subject to change so we encourage customers to either apply the workaround or ensure their anti-malware vendor has added new signatures based on the information we’ve provided them to ensure protections are in place for this issue.
Just don't open documents from people you don't trust (as usual), and make sure to actively scan documents from people you do (as you probably should be doing anyway), and you'll be fine (the virus is picked up as stuxnet by the major A/V engines, and has been since the beginning - vigilance should = safety here).
Quote
