Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Microsoft issues temporary 'fix-it' for Duqu zero-day

04 Nov 2011   #1
Borg 386

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1 Pro
Microsoft issues temporary 'fix-it' for Duqu zero-day

Microsoft has shipped an advisory to formally confirm the zero-day vulnerability used in the Duqu malware attack and is offering a temporary “fix-it” workaround to help Windows users block future attacks.

The vulnerability affects the Win32k TrueType font parsing engine and allows hackers to run arbitrary code in kernel mode, Microsoft said in its security advisory.

The company also confirmed my earlier report that this vulnerability will NOT be patched as part of this month’s Patch Tuesday bulletins.

The advisory includes a pre-patch workaround that can be applied to any Windows system.

To make it easy for customers to install, Microsoft released a fix-it that will allow one-click installation of the workaround and an easy way for enterprises to deploy. The one-click workaround can be found at the bottom of this KB article.

Microsoft explained that the Duqu malware exploit targets a problem in one of the T2EMBED.DLL, which called by the TrueType font parsing engine in certain circumstances. The workaround effectively denies access to T2EMBED.DLL, causing the exploit to fail.
Read more:

Microsoft issues temporary 'fix-it' for Duqu zero-day | ZDNet

Temporary Fix KB Article.

Duqu, which is believed to be linked to Stuxnet, is highly specialized Trojan capable of gathering intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party.
Duqu: Status Updates Including Installer with Zero-Day Exploit Found

My System SpecsSystem Spec
04 Nov 2011   #2
Phone Man

Windows 8.1 Pro w/Media Center 64bit, Windows 7 HP 64bit

Here is a quote from the KB article.

The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must open an attachment that is sent in an e-mail message.
This has always been good advice. Watch your e-mail and be sure it is safe before opening an attachment.

The Fix changes permissions on one DLL file and may block some software from functioning properly. Permissions can be restored if there are problems.

My System SpecsSystem Spec
04 Nov 2011   #3

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade

How does it bypass patch proection in kernal mode?
My System SpecsSystem Spec
06 Nov 2011   #4

Windows 8.1 x64

It doesn't, actually, at least not at first - it appears to exploit COM code in t2embed.dll (font embedding using OpenType embedding has been around and documented since Win98) that then allows the exploit to "take over" services.exe, which gives the attacker enough access to the system to do significant damage to it (as much as the SYSTEM account can, anyway), although it never breaches the kernel until it can load a forged root certificate that will allow it to appear to the system as legitimate code. To do this, it uses a forged/stolen digital certificate, which is part of the way it gains access to the system as trusted code, although once this certificate is revoked and the client machines pull new root certs (the folks who have turned this off have done themselves a disservice here....), it'll be harder for it to propogate. However, if it is re-released or finds a way to forge/steal other trusted certs from compromised machines, that won't help much long-term either. The only way to really fix this appears to be to modify how the OpenType font system works (and probably patch services.exe too). I think this might be why they aren't coming out with a patch this month - I'm guessing patching this flaw (which is really multiple flaws) will take some time and testing, because turning OpenType off in the OS (as you can see from the workarounds) is a very breaking change to a lot of apps.

It's probably worth noting that most up-to-date antivirus applications out there already catch this (as I've tested in a lab VM), but if a machine is already infected, or folks aren't updating the 30-day trial software, etc. that came with a machine and aren't protected, they could be at risk. This malware, like almost all others these days, really finds it's way in via the most vulnerable part of the system - the organic part.
My System SpecsSystem Spec
06 Nov 2011   #5

Windows 7 & Windows Vista Ultimate

After enabling Microsoft Fix it 50792, there have been reports of Microsoft updates KB 972270 (MS10-001: Vulnerability in the Embedded OpenType Font Engine could allow remote code execution) and KB 982132 (MS10-076: Vulnerability in the Embedded OpenType Font Engine could allow remote code execution) being repeatedly re-offered.

In the event you experience the same issue, after confirming in the update history that both updates are installed, I suggest that you enable the Fix it and then hide the updates when offered again.

To hide the updates, select the first update and then right-click the update and click "Hide Update." Repeat for the second update.
My System SpecsSystem Spec
09 Nov 2011   #6

Windows 7 Professional SP1 - x64 [Non-UEFI Boot]

Just a quick reminder about:

"Description of how the Attachment Manager works in Microsoft Windows"
Description of how the Attachment Manager works in Microsoft Windows

Hotfixes available when applying Group Policies for the Attachment Manager in Windows 7:
Recommended Updates for Group Policy in Windows Client and Server Products
My System SpecsSystem Spec
09 Nov 2011   #7
Hopalong X

Windows7 Pro 64bit SP-1; Windows XP Pro 32bit

The question is do we all need the Duqu fix it?

All I got out of it is confusion.
My System SpecsSystem Spec
09 Nov 2011   #8

Windows 7 & Windows Vista Ultimate

The choice is yours as to whether you wish to install the Fix it. If you do enable the Fix it, don't forget to run the disable prior to installing the update when it is released.

With safe surfing and updated A/V, the risk doesn't seem great. From the MSRC blog {Bold Added}:
To further protect customers, we provided our partners in the Microsoft Active Protections Program (MAPP) detailed information on how to build detection for their security products. This means that within hours, anti-malware firms will roll out new signatures that detect and block attempts to exploit this vulnerability. Therefore we encourage customers to ensure their antivirus software is up-to-date.


Finally, given our ability to detect exploit attempts for this issue, we are able to closely monitor the threat landscape and will notify customers if we see any indication of increased risk. As previously stated, the risk for customers remains low. However, that is subject to change so we encourage customers to either apply the workaround or ensure their anti-malware vendor has added new signatures based on the information we’ve provided them to ensure protections are in place for this issue.
My System SpecsSystem Spec
09 Nov 2011   #9
Hopalong X

Windows7 Pro 64bit SP-1; Windows XP Pro 32bit

Thanks Corrine for the clarification.
My System SpecsSystem Spec
10 Nov 2011   #10

Windows 8.1 x64

Just don't open documents from people you don't trust (as usual), and make sure to actively scan documents from people you do (as you probably should be doing anyway), and you'll be fine (the virus is picked up as stuxnet by the major A/V engines, and has been since the beginning - vigilance should = safety here).
My System SpecsSystem Spec

 Microsoft issues temporary 'fix-it' for Duqu zero-day

Thread Tools

Similar help and support threads
Thread Forum
Issues with microsoft adapters
I Had issues with these microsoft network adapters. When i opened my device manager,these adapters came out of nowhere.I want to know about details of these adapters.Is it necessary to trouble shoot these adapters?If not i want to remove them completely.Any suggestions?
Hardware & Devices
Microsoft office issues 32 bit
Hello I recently re instaled microsoft office word and powerpoint and when I try to run them this is what it says (I downloaded the 64 bit as my pc is 64 bit)
Microsoft Office
Windows kernel 'zero-day' found in Duqu attack
Read More: Windows kernel 'zero-day' found in Duqu attack | ZDNet
Security News
Patch Tuesday: Fix for 'Duqu' zero-day not likely this month
Article: Microsoft Security Bulletin Advance Notification for November 2011
Security News
Microsoft Security Essentials Issues
Hi, I've been using Microsoft Security Essentials since it came out, and it always worked fine and well, giving me no problems whatsoever. But recently, I keep getting errors and issues with MSE. First off, when I boot up the computer it seems to be completely fine, but after a while, something...
System Security
MicroSoft HD 5001 webcam issues
I have a friend that just bought a new HP desktop with windows 7 and bought a MS hd 5001 webcam. when we video chat, his webcam is not very clear and seems to freeze from time to has auto focus which tries to focus from time to time which is visible on my end of the video. It has no...
Hardware & Devices

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 06:40.

Twitter Facebook Google+

Windows 7 Forums

Seven Forums Android App Seven Forums IOS App