Microsoft issues temporary 'fix-it' for Duqu zero-day
Summary: The vulnerability affects the Win32k TrueType font parsing engine and allows hackers to run arbitrary code in kernel mode
Microsoft has shipped an advisory to formally confirm the zero-day vulnerability used in the Duqu malware attack and is offering a temporary "fix-it" workaround to help Windows users block future attacks.
The vulnerability affects the Win32k TrueType font parsing engine and allows hackers to run arbitrary code in kernel mode, Microsoft said in its security advisory.
The company also confirmed my earlier report that this vulnerability will NOT be patched as part of this month's Patch Tuesday bulletins.
The advisory includes a pre-patch workaround that can be applied to any Windows system.
To make it easy for customers to install, Microsoft released a fix-it that will allow one-click installation of the workaround and an easy way for enterprises to deploy. The one-click workaround can be found at the bottom of this KB article.
Microsoft explained that the Duqu malware exploit targets a problem in one of the T2EMBED.DLL, which called by the TrueType font parsing engine in certain circumstances. The workaround effectively denies access to T2EMBED.DLL, causing the exploit to fail.
[ Windows kernel 'zero-day' found in Duqu attack ]
From the Microsoft Security Response Center blog:To further protect customers, we provided our partners in the Microsoft Active Protections Program (MAPP) detailed information on how to build detection for their security products. This means that within hours, anti-malware firms will roll out new signatures that detect and block attempts to exploit this vulnerability. Therefore we encourage customers to ensure their antivirus software is up-to-date.
Additionally, our engineering teams determined the root cause of this vulnerability, and we are working to produce a high-quality security update to address it. At this time, we plan to release the security update through our security bulletin process, although it will not be ready for this month’s bulletin release.
Finally, given our ability to detect exploit attempts for this issue, we are able to closely monitor the threat landscape and will notify customers if we see any indication of increased risk. As previously stated, the risk for customers remains low. However, that is subject to change so we encourage customers to either apply the workaround or ensure their anti-malware vendor has added new signatures based on the information we’ve provided them to ensure protections are in place for this issue.
According to Symantec, the Duqu zero-day vulnerability was exploited via a rigged Word .doc and gave the hackers remote code execution once the file was opened.
Duqu, which is believed to be linked to Stuxnet, is highly specialized Trojan capable of gathering intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party.
* Image source: Maggiejumps’ Flickr photostream (Creative Commons 2.0)
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
PDF killer...
I installed the fix this morning, then I needed to export an MS Project plan as PDF and it just did nothing... After 3 or 4 attempts, I switched to Word and tried to generate a PDF from there, at least Word comes up with an error message!
I removed the FixIt and PDF worked again...
I am in two minds, whether to leave the machine unfixed and be able to generate PDFs (something I regularly have to do) or enable/disable the FixIt constantly.
Nice post
Well, You Could Install a PDF Printer as a Workaround
I suppose if neither solution seems acceptable, you could possibly work around the issue by installing software that creates a 'print to PDF' system printer. It's probably a bit less convenient to send your document to that virtual printer, but it could probably get you through to the next patch when the problem is really fixed.
RE: Microsoft issues temporary 'fix-it' for Duqu zero-day
RE: Microsoft issues temporary 'fix-it' for Duqu zero-day
I don't tend to surf to unsecure sites or download dodgy files, so I should be reasonably safe - unless another machine on the network gets infected or a major site gets hacked.
I have been thinking about one of the free PDF print solutions as a stop-gap.
.....OR, don't open unknow Word docs ....
from untrusted sites!
This exploit was achieved from Word...
that doesn't mean that it can only be achieved from Word. They used a font vulnerability. IE uses fonts. It doesn't take a rocket scientist to understand that this vulnerability could potentially be exploited directly from any Microsoft application that uses fonts, which isn't just Word.
Firefox loads t2embed.dll
Edit: Looked into this a bit deeper. The NoScript add-on, by default, treats fonts just as it does other active embeddings and forbids @font-face for untrusted sites:
http://hackademix.net/2010/03/24/why-noscript-blocks-web-fonts/
Yet another reason to use NoScript with Firefox.
In addition, Mozilla added support for the OTS font sanitizer to Firefox v3.6.13 (and I believe that Chrome has this now too):
http://www.mozilla.org/security/announce/2010/mfsa2010-78.html
RE: Microsoft issues temporary 'fix-it' for Duqu zero-day
Hi :)
Thanks for letting people know. Also for letting people know they can undo things to get back to unpatched if they have the problem too.
There are various other tools for creating Pdf. It's possible to install LibreOffice alongside MS Office and still keep MS Office as the main & default office suite.
@Ryan Naraine
I definitely appreciate the original article. It is this sort of thing that keeps me tuned in to ZdNet.
Does the vulnerability only affect MS Office or does it also affect OpenOffice & LibreOffice too?
Thanks and regards from
Tom :)
RE: Microsoft issues temporary 'fix-it' for Duqu zero-day
I worked for a long time on OO.o, but found out very quickly, that having a Windows machine in the corner, with MS Office on it was a necessity, if I was exchanging documents with other businesses, as the OO.o interpretation of how a .doc or .ppt should look differs wildly from how MS interpret it - pagination and formatting go haywire on anything but the most simple of documents.
Probably not......
Since linux does not normally use dll files, there would not be any risk.
RE: Microsoft issues temporary 'fix-it' for Duqu zero-day
"Does the vulnerability only affect MS Office or does it also affect OpenOffice & LibreOffice too?
I am going to make an *educated guess* that neither OpenOffice nor LibreOffice embed TrueType (or any other) fonts based on these two links:
"Re: [libreoffice-users] I want font embedding to be enabled today.
http://listarchives.libreoffice.org/global/users/msg11729.html
"[Issue] Embedded Fonts
http://user.services.openoffice.org/en/forum/viewtopic.php?f=7&p=45326
What's the worst that could happen?
RE: Microsoft issues temporary 'fix-it' for Duqu zero-day
As to chances of being infected? Web browsers, like Firefox, use the library, so it only takes one malformed website...
RE: Microsoft issues temporary 'fix-it' for Duqu zero-day
My netbook
I've said this many times before: People posting here, for the most part, maintain one Windows computer and deal with malware and virus updates and maintenance. When you maintain 10-100 computers, having Windows will kill you. Linux on the other hand does not require attention.
RE: Microsoft issues temporary 'fix-it' for Duqu zero-day
"This is in contrast to using Linux for 9 years with no AV and no infection issues."
Which is exactly my experience with 10+ years of Windows :). Even a minimal amount of preventative maintenance goes a long way. It's no longer the real hassle of the Windows 9x days.
"When you maintain 10-100 computers, having Windows will kill you."
Not really, where I work everything is on servers and we just reimage clients with issues. With a bit of preventative maintenance, that's pretty rare. Our new security guy is pretty good at keeping up with patches.
dsfsdfd
Manicure Set Garden Decorations http://www.chinawholesaletown.com/wholesale-Tellurion/ Umbrella
Lunch Box Wholesale Mouse http://www.chinawholesaletown.com/wholesale-Clothes-Rack/ Wedding Favors
Wine Set Industrial Supplies http://www.chinawholesaletown.com/wholesale-Pen-Holder/ Scarf
Wholesale Sticker Wholesale Stationery http://www.chinawholesaletown.com/wholesale-Waterproof-Case/ Poncho
Wholesale Clothing Wholesale Flag http://www.chinawholesaletown.com/wholesale-Wine-Set/ Ruler
Wholesale Flashlight Wholesale Helmet http://www.chinawholesaletown.com/wholesale-MP3---MP4---MP5-Player/ lable
Wholesale Wallet Writing Instrument http://www.chinawholesaletown.com/ Baby Products Suppliers
Wholesale Lanyard Wholesale Pin http://www.chinawholesaletown.com/ Book Light
Lady Beauty Care Wholesale Earphone http://www.chinawholesaletown.com/wholesale-Silicone/ Earphone
Electroluminescent Wholesale Gift Bags http://www.chinawholesaletown.com/wholesale-Solar-Products/ Fishing Supplies
Wholesale Badge Advertising Material http://www.chinawholesaletown.com/wholesale-Stuffed-Animals/ Vase
Wholesale Speakers Pen Holder http://www.chinawholesaletown.com/wholesale-Racks/ Furniture
Wholesale Coaster Wholesale Magnifier http://www.chinawholesaletown.com/wholesale-Camera/ Mirror
Wholesale Compass Wholesale Whistle http://www.chinawholesaletown.com/ Audio Video Equipment
Poncho Raincoat Wholesale Mp3 http://www.chinawholesaletown.com/wholesale-Glasses/ Mobile Phone
Health Care Products Wholesale Hardware Tools http://www.chinawholesaletown.com/wholesale-Recorder-Pen/ Pin
Wholesale Flag Wholesale Binoculars http://www.chinawholesaletown.com/wholesale-Business-Gift/ China Wholesale
Audio Video Equipment Coca Cola Gifts http://www.chinawholesaletown.com/wholesale-Sport-Items/ Coin Bank
Wholesale Mouse Wholesale Puzzle http://www.chinawholesaletown.com/wholesale-Fan/ Scissors
Wholesale Calendar Wholesale Racks http://www.chinawholesaletown.com/wholesale-Apron/ Jewelry
Wholesale Umbrella Electroluminescent http://www.chinawholesaletown.com/wholesale-Entertainment/ First Aid Kit
Wholesale Whistle Wholesale Scale http://www.chinawholesaletown.com/wholesale-Pen/ Clothes Rack
Wholesale Towel Entertainment Supplies http://www.chinawholesaletown.com/wholesale-Dartboard/ Dartboard
Wholesale Glasses Fishing Supplies http://www.chinawholesaletown.com/wholesale-Binoculars/ USB Flash Drive
Reflective Safety Vest Wholesale Pom Poms http://www.chinawholesaletown.com/wholesale-Ashtray/ Watch
Bottle Opener Wholesale Mobile Phone http://www.chinawholesaletown.com/wholesale-Kitchenware/ Pedometer
Wholesale Banner Wholesale Clap Hands http://www.chinawholesaletown.com/wholesale-Radio/ Calculator
Wholesale Clap Hands Wholesale USB Products http://www.chinawholesaletown.com/wholesale-Cup/ Banner
Garden Decorations Wholesale Speakers http://www.chinawholesaletown.com/wholesale-Bag/ Frisbee
Wholesale Cards Sport Support Products http://www.chinawholesaletown.com/wholesale-Helmet/ Speakers
Wholesale Halloween Gift Men Beauty Care http://www.chinawholesaletown.com/wholesale-Book-Light/ Pen Holder
Wholesale Bracelet Silicone Products http://www.chinawholesaletown.com/wholesale-Medicine-Instrument/ Fan
Christmas Gifts Outdoor Leisure Products http://www.chinawholesaletown.com/wholesale-Money-Bank/ Recorder Pen
Wholesale Scissors Wholesale Lighter http://www.chinawholesaletown.com/wholesale-Jewelry/ Heating Products
Wholesale Candle Wholesale Golf Products http://www.chinawholesaletown.com/wholesale-Clothing/ Stuffed Animals
Wholesale Lighter Wholesale Stress Ball http://www.chinawholesaletown.com/wholesale-Water-Bottle/ Cap
RE: Microsoft issues temporary 'fix-it' for Duqu zero-day
And we have to wait at least a month for a real fix???
MS has released out of band patches
It is a myth that MS only releases patches once a month.