Microsoft issues temporary 'fix-it' for Duqu zero-day

The vulnerability affects the Win32k TrueType font parsing engine and allows hackers to run arbitrary code in kernel mode
Written by Ryan Naraine, Contributor

Microsoft has shipped an advisory to formally confirm the zero-day vulnerability used in the Duqu malware attack and is offering a temporary "fix-it" workaround to help Windows users block future attacks.

The vulnerability affects the Win32k TrueType font parsing engine and allows hackers to run arbitrary code in kernel mode, Microsoft said in its security advisory.

The company also confirmed my earlier report that this vulnerability will NOT be patched as part of this month's Patch Tuesday bulletins.

The advisory includes a pre-patch workaround that can be applied to any Windows system.

To make it easy for customers to install, Microsoft released a fix-it that will allow one-click installation of the workaround and an easy way for enterprises to deploy. The one-click workaround can be found at the bottom of this KB article.

Microsoft explained that the Duqu malware exploit targets a problem in one of the T2EMBED.DLL, which called by the TrueType font parsing engine in certain circumstances.  The workaround effectively denies access to T2EMBED.DLL, causing the exploit to fail.

Windows kernel 'zero-day' found in Duqu attack ]

From the Microsoft Security Response Center blog:

To further protect customers, we provided our partners in the Microsoft Active Protections Program (MAPP) detailed information on how to build detection for their security products. This means that within hours, anti-malware firms will roll out new signatures that detect and block attempts to exploit this vulnerability. Therefore we encourage customers to ensure their antivirus software is up-to-date.

Additionally, our engineering teams determined the root cause of this vulnerability, and we are working to produce a high-quality security update to address it. At this time, we plan to release the security update through our security bulletin process, although it will not be ready for this month’s bulletin release.

Finally, given our ability to detect exploit attempts for this issue, we are able to closely monitor the threat landscape and will notify customers if we see any indication of increased risk. As previously stated, the risk for customers remains low. However, that is subject to change so we encourage customers to either apply the workaround or ensure their anti-malware vendor has added new signatures based on the information we’ve provided them to ensure protections are in place for this issue.

According to Symantec, the Duqu zero-day vulnerability was exploited via a rigged Word .doc and gave the hackers remote code execution once the file was opened.

Duqu, which is believed to be linked to Stuxnet,  is highly specialized Trojan capable of gathering intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party.

* Image source: Maggiejumps’ Flickr photostream (Creative Commons 2.0)

Editorial standards