Microsoft issues temporary 'fix-it' for Duqu zero-day

Microsoft issues temporary 'fix-it' for Duqu zero-day

Summary: The vulnerability affects the Win32k TrueType font parsing engine and allows hackers to run arbitrary code in kernel mode

SHARE:
TOPICS: Microsoft
53

Microsoft has shipped an advisory to formally confirm the zero-day vulnerability used in the Duqu malware attack and is offering a temporary "fix-it" workaround to help Windows users block future attacks.

The vulnerability affects the Win32k TrueType font parsing engine and allows hackers to run arbitrary code in kernel mode, Microsoft said in its security advisory.

The company also confirmed my earlier report that this vulnerability will NOT be patched as part of this month's Patch Tuesday bulletins.

The advisory includes a pre-patch workaround that can be applied to any Windows system.

follow Ryan Naraine on twitter

To make it easy for customers to install, Microsoft released a fix-it that will allow one-click installation of the workaround and an easy way for enterprises to deploy. The one-click workaround can be found at the bottom of this KB article.

Microsoft explained that the Duqu malware exploit targets a problem in one of the T2EMBED.DLL, which called by the TrueType font parsing engine in certain circumstances.  The workaround effectively denies access to T2EMBED.DLL, causing the exploit to fail.

Windows kernel 'zero-day' found in Duqu attack ]

From the Microsoft Security Response Center blog:

To further protect customers, we provided our partners in the Microsoft Active Protections Program (MAPP) detailed information on how to build detection for their security products. This means that within hours, anti-malware firms will roll out new signatures that detect and block attempts to exploit this vulnerability. Therefore we encourage customers to ensure their antivirus software is up-to-date.

Additionally, our engineering teams determined the root cause of this vulnerability, and we are working to produce a high-quality security update to address it. At this time, we plan to release the security update through our security bulletin process, although it will not be ready for this month’s bulletin release.

Finally, given our ability to detect exploit attempts for this issue, we are able to closely monitor the threat landscape and will notify customers if we see any indication of increased risk. As previously stated, the risk for customers remains low. However, that is subject to change so we encourage customers to either apply the workaround or ensure their anti-malware vendor has added new signatures based on the information we’ve provided them to ensure protections are in place for this issue.

According to Symantec, the Duqu zero-day vulnerability was exploited via a rigged Word .doc and gave the hackers remote code execution once the file was opened.

Duqu, which is believed to be linked to Stuxnet,  is highly specialized Trojan capable of gathering intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party.

* Image source: Maggiejumps’ Flickr photostream (Creative Commons 2.0)

Topic: Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

53 comments
Log in or register to join the discussion
  • PDF killer...

    The FixIt kills the ability to export to PDF in Office 2010 (I assume the same is true in 2007).

    I installed the fix this morning, then I needed to export an MS Project plan as PDF and it just did nothing... After 3 or 4 attempts, I switched to Word and tried to generate a PDF from there, at least Word comes up with an error message!

    I removed the FixIt and PDF worked again...

    I am in two minds, whether to leave the machine unfixed and be able to generate PDFs (something I regularly have to do) or enable/disable the FixIt constantly.
    wright_is
    • Nice post

      Thanks for what and how you posted.
      ego.sum.stig
    • Well, You Could Install a PDF Printer as a Workaround

      @wright_is
      I suppose if neither solution seems acceptable, you could possibly work around the issue by installing software that creates a 'print to PDF' system printer. It's probably a bit less convenient to send your document to that virtual printer, but it could probably get you through to the next patch when the problem is really fixed.
      CFWhitman
      • RE: Microsoft issues temporary 'fix-it' for Duqu zero-day

        @CFWhitman If you have Adobe Acrobat, you have Adobe PDF as a "system" printer ("Distiller"). Creating PDFs from Office (or other software) makes overly large, poor quality PDFs. Distiller is the only way to make true press quality PDFs.
        flboffin
      • RE: Microsoft issues temporary 'fix-it' for Duqu zero-day

        @CFWhitman Yeah, the post was more to inform, that the fix introduces problems.

        I don't tend to surf to unsecure sites or download dodgy files, so I should be reasonably safe - unless another machine on the network gets infected or a major site gets hacked.

        I have been thinking about one of the free PDF print solutions as a stop-gap.
        wright_is
    • .....OR, don't open unknow Word docs ....

      @wright_is
      from untrusted sites!
      kd5auq
      • This exploit was achieved from Word...

        @kd5auq
        that doesn't mean that it can only be achieved from Word. They used a font vulnerability. IE uses fonts. It doesn't take a rocket scientist to understand that this vulnerability could potentially be exploited directly from any Microsoft application that uses fonts, which isn't just Word.
        jasonp@...
      • Firefox loads t2embed.dll

        @jasonp@... I just checked Firefox v3.6.23 with Sysinternals Process Explorer. The dll in question, t2embed.dll, is loaded for Firefox as I write this post at ZDNet.com.

        Edit: Looked into this a bit deeper. The NoScript add-on, by default, treats fonts just as it does other active embeddings and forbids @font-face for untrusted sites:

        http://hackademix.net/2010/03/24/why-noscript-blocks-web-fonts/

        Yet another reason to use NoScript with Firefox.

        In addition, Mozilla added support for the OTS font sanitizer to Firefox v3.6.13 (and I believe that Chrome has this now too):

        http://www.mozilla.org/security/announce/2010/mfsa2010-78.html
        Rabid Howler Monkey
    • RE: Microsoft issues temporary 'fix-it' for Duqu zero-day

      @wright_is
      Hi :)
      Thanks for letting people know. Also for letting people know they can undo things to get back to unpatched if they have the problem too.

      There are various other tools for creating Pdf. It's possible to install LibreOffice alongside MS Office and still keep MS Office as the main & default office suite.

      @Ryan Naraine
      I definitely appreciate the original article. It is this sort of thing that keeps me tuned in to ZdNet.

      Does the vulnerability only affect MS Office or does it also affect OpenOffice & LibreOffice too?
      Thanks and regards from
      Tom :)
      Tom6
      • RE: Microsoft issues temporary 'fix-it' for Duqu zero-day

        @Tom6 I haven't tried it with OpenOffice or LibreOffice. We use Office 2010 here and switching between OpenOffice and MS Office is a pain, mainly due to the wasted hours reformatting, so OO.o wouldn't be an option for generating PDF, even if it worked.

        I worked for a long time on OO.o, but found out very quickly, that having a Windows machine in the corner, with MS Office on it was a necessity, if I was exchanging documents with other businesses, as the OO.o interpretation of how a .doc or .ppt should look differs wildly from how MS interpret it - pagination and formatting go haywire on anything but the most simple of documents.
        wright_is
      • Probably not......

        @Tom6

        Since linux does not normally use dll files, there would not be any risk.
        linux for me
      • RE: Microsoft issues temporary 'fix-it' for Duqu zero-day

        @Tom6 wrote:
        "Does the vulnerability only affect MS Office or does it also affect OpenOffice & LibreOffice too?

        I am going to make an *educated guess* that neither OpenOffice nor LibreOffice embed TrueType (or any other) fonts based on these two links:

        "Re: [libreoffice-users] I want font embedding to be enabled today.
        http://listarchives.libreoffice.org/global/users/msg11729.html

        "[Issue] Embedded Fonts
        http://user.services.openoffice.org/en/forum/viewtopic.php?f=7&p=45326
        Rabid Howler Monkey
    • What's the worst that could happen?

      @wright_is ... What are your chances of becoming infected? It seems like a difficult thing to fix properly, possibly the reason it's taking a greater amount of time. Leaving it unprotected with no problems seems viable especially if you don't open unsolicited Word documents.
      Joe.Smetona
      • RE: Microsoft issues temporary 'fix-it' for Duqu zero-day

        @Joe.Smetona They haven't had any lead time to get it fixed for this month, even if the patch was relatively simple to implement, you probably have at couple of weeks worth of testing, to ensure that it doesn't break anything - like this fixit currently does.

        As to chances of being infected? Web browsers, like Firefox, use the library, so it only takes one malformed website...
        wright_is
    • RE: Microsoft issues temporary 'fix-it' for Duqu zero-day

      Microsoft has really become a thorn in the side -- it's now time to remove the dual boot, kick out windows and retain Linux.
      retired_gfx@...
      • My netbook

        @retired_gfx@... My Acer netbook has 64 bit Windows and I set up dual boot with Linux Mint. We use Linux and I will boot Windows to allow the updates to run. I installed Avira when I first got it and now, Avira is throwing up "you're infected" warning messages when just trying to let the updates run. This is in contrast to using Linux for 9 years with no AV and no infection issues. Any use of Windows is a big step down. It's so nice to have an OS that runs without attention and doesn't demand extra labor to remove malware.

        I've said this many times before: People posting here, for the most part, maintain one Windows computer and deal with malware and virus updates and maintenance. When you maintain 10-100 computers, having Windows will kill you. Linux on the other hand does not require attention.
        Joe.Smetona
      • RE: Microsoft issues temporary 'fix-it' for Duqu zero-day

        @retired_gfx@...

        "This is in contrast to using Linux for 9 years with no AV and no infection issues."

        Which is exactly my experience with 10+ years of Windows :). Even a minimal amount of preventative maintenance goes a long way. It's no longer the real hassle of the Windows 9x days.

        "When you maintain 10-100 computers, having Windows will kill you."

        Not really, where I work everything is on servers and we just reimage clients with issues. With a bit of preventative maintenance, that's pretty rare. Our new security guy is pretty good at keeping up with patches.
        CobraA1
  • RE: Microsoft issues temporary 'fix-it' for Duqu zero-day

    THX Ryan:

    And we have to wait at least a month for a real fix???
    Merlin the Wiz
    • MS has released out of band patches

      @Merlin the Wiz
      It is a myth that MS only releases patches once a month.
      toddybottom
  • RE: Microsoft issues temporary 'fix-it' for Duqu zero-day

    doesn't sound like much of a fix at this point... with hundreds of laptops and pcs, the thought of deploying it is really ugly, even if you ignore the pdf issue, above. I think I will wait til it rolls up in SUS to deploy.
    charliegalliher