Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Microsoft issues temporary 'fix-it' for Duqu zero-day


04 Nov 2011   #1

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1 Pro
 
 
Microsoft issues temporary 'fix-it' for Duqu zero-day

Quote:
Microsoft has shipped an advisory to formally confirm the zero-day vulnerability used in the Duqu malware attack and is offering a temporary “fix-it” workaround to help Windows users block future attacks.

The vulnerability affects the Win32k TrueType font parsing engine and allows hackers to run arbitrary code in kernel mode, Microsoft said in its security advisory.

The company also confirmed my earlier report that this vulnerability will NOT be patched as part of this month’s Patch Tuesday bulletins.

The advisory includes a pre-patch workaround that can be applied to any Windows system.

To make it easy for customers to install, Microsoft released a fix-it that will allow one-click installation of the workaround and an easy way for enterprises to deploy. The one-click workaround can be found at the bottom of this KB article.

Microsoft explained that the Duqu malware exploit targets a problem in one of the T2EMBED.DLL, which called by the TrueType font parsing engine in certain circumstances. The workaround effectively denies access to T2EMBED.DLL, causing the exploit to fail.
Read more:

Microsoft issues temporary 'fix-it' for Duqu zero-day | ZDNet

Temporary Fix KB Article.

http://support.microsoft.com/kb/2639658

Quote:
Duqu, which is believed to be linked to Stuxnet, is highly specialized Trojan capable of gathering intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party.
Duqu: Status Updates Including Installer with Zero-Day Exploit Found

http://www.symantec.com/connect/w32-...ro-day-exploit


My System SpecsSystem Spec
.

04 Nov 2011   #2

Windows 8.1 Pro w/Media Center 64bit, Windows 7 HP 64bit
 
 

Here is a quote from the KB article.

Quote:
The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must open an attachment that is sent in an e-mail message.
This has always been good advice. Watch your e-mail and be sure it is safe before opening an attachment.

The Fix changes permissions on one DLL file and may block some software from functioning properly. Permissions can be restored if there are problems.

Jim
My System SpecsSystem Spec
04 Nov 2011   #3

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 

How does it bypass patch proection in kernal mode?
My System SpecsSystem Spec
.


06 Nov 2011   #4

Windows Server 2008 R2
 
 

It doesn't, actually, at least not at first - it appears to exploit COM code in t2embed.dll (font embedding using OpenType embedding has been around and documented since Win98) that then allows the exploit to "take over" services.exe, which gives the attacker enough access to the system to do significant damage to it (as much as the SYSTEM account can, anyway), although it never breaches the kernel until it can load a forged root certificate that will allow it to appear to the system as legitimate code. To do this, it uses a forged/stolen digital certificate, which is part of the way it gains access to the system as trusted code, although once this certificate is revoked and the client machines pull new root certs (the folks who have turned this off have done themselves a disservice here....), it'll be harder for it to propogate. However, if it is re-released or finds a way to forge/steal other trusted certs from compromised machines, that won't help much long-term either. The only way to really fix this appears to be to modify how the OpenType font system works (and probably patch services.exe too). I think this might be why they aren't coming out with a patch this month - I'm guessing patching this flaw (which is really multiple flaws) will take some time and testing, because turning OpenType off in the OS (as you can see from the workarounds) is a very breaking change to a lot of apps.

It's probably worth noting that most up-to-date antivirus applications out there already catch this (as I've tested in a lab VM), but if a machine is already infected, or folks aren't updating the 30-day trial software, etc. that came with a machine and aren't protected, they could be at risk. This malware, like almost all others these days, really finds it's way in via the most vulnerable part of the system - the organic part.
My System SpecsSystem Spec
06 Nov 2011   #5

Windows 7 & Windows Vista Ultimate
 
 

After enabling Microsoft Fix it 50792, there have been reports of Microsoft updates KB 972270 (MS10-001: Vulnerability in the Embedded OpenType Font Engine could allow remote code execution) and KB 982132 (MS10-076: Vulnerability in the Embedded OpenType Font Engine could allow remote code execution) being repeatedly re-offered.

In the event you experience the same issue, after confirming in the update history that both updates are installed, I suggest that you enable the Fix it and then hide the updates when offered again.

To hide the updates, select the first update and then right-click the update and click "Hide Update." Repeat for the second update.
My System SpecsSystem Spec
09 Nov 2011   #6
NoN

Windows 7 Professional SP1 - x64 [Non-UEFI Boot]
 
 

Just a quick reminder about:

"Description of how the Attachment Manager works in Microsoft Windows"
Description of how the Attachment Manager works in Microsoft Windows

Hotfixes available when applying Group Policies for the Attachment Manager in Windows 7:
Recommended Updates for Group Policy in Windows Client and Server Products
My System SpecsSystem Spec
09 Nov 2011   #7

Windows7 Pro 64bit SP-1; Windows XP Pro 32bit
 
 

The question is do we all need the Duqu fix it?

All I got out of it is confusion.
My System SpecsSystem Spec
09 Nov 2011   #8

Windows 7 & Windows Vista Ultimate
 
 

The choice is yours as to whether you wish to install the Fix it. If you do enable the Fix it, don't forget to run the disable prior to installing the update when it is released.

With safe surfing and updated A/V, the risk doesn't seem great. From the MSRC blog {Bold Added}:
Quote:
To further protect customers, we provided our partners in the Microsoft Active Protections Program (MAPP) detailed information on how to build detection for their security products. This means that within hours, anti-malware firms will roll out new signatures that detect and block attempts to exploit this vulnerability. Therefore we encourage customers to ensure their antivirus software is up-to-date.

{Snip}

Finally, given our ability to detect exploit attempts for this issue, we are able to closely monitor the threat landscape and will notify customers if we see any indication of increased risk. As previously stated, the risk for customers remains low. However, that is subject to change so we encourage customers to either apply the workaround or ensure their anti-malware vendor has added new signatures based on the information we’ve provided them to ensure protections are in place for this issue.
My System SpecsSystem Spec
09 Nov 2011   #9

Windows7 Pro 64bit SP-1; Windows XP Pro 32bit
 
 

Thanks Corrine for the clarification.
My System SpecsSystem Spec
10 Nov 2011   #10

Windows Server 2008 R2
 
 

Just don't open documents from people you don't trust (as usual), and make sure to actively scan documents from people you do (as you probably should be doing anyway), and you'll be fine (the virus is picked up as stuxnet by the major A/V engines, and has been since the beginning - vigilance should = safety here).
My System SpecsSystem Spec
Reply

 Microsoft issues temporary 'fix-it' for Duqu zero-day




Thread Tools



Similar help and support threads for2: Microsoft issues temporary 'fix-it' for Duqu zero-day
Thread Forum
Microsoft issues fix for IE flaw that could allow PC hijack Security News
Microsoft office issues 32 bit Microsoft Office
Windows kernel 'zero-day' found in Duqu attack Security News
Patch Tuesday: Fix for 'Duqu' zero-day not likely this month Security News
Solved Microsoft Security Essentials Issues System Security
Microsoft Outlook 2010 issues Browsers & Mail
Is microsoft still receiving feedback on issues? Drivers

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 04:55 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33