Microsoft Releases Workaround For Kernel Flaw Used By Duqu

2011-11-04T11:47:32
ID THREATPOST:DEDA9E6DCA21010A215B158BFF80253C
Type threatpost
Reporter Dennis Fisher
Modified 2013-04-17T16:33:25

Description

Duqu work-aroundMicrosoft has released a workaround for the Windows kernel zero-day vulnerability exploited by the Duqu malware, and said that it is working on a permanent patch, but didn’t specify a timeline for its release. The vulnerability is a serious one that can lead to remote code execution on vulnerable machines.

In an advisory issued Thursday night, Microsoft security officials said that the flaw is in the TrueType font parsing engine in Windows. This is the first time that the exact location and nature of the flaw has been made public. Microsoft said that the permanent fix for the new vulnerability will not be ready in time for next week’s November patch Tuesday release. The FixIt tool that Microsoft released Thursday automatically applies the workaround that the company suggests in its security advisory on the Windows kernel flaw.

To apply the workaround manually, users of 32-bit systems can enter the following at the command prompt:

Echo y| cacls "%windir%system32t2embed.dll" /E /P everyone:N

For 64-bit systems, users should enter this at the command prompt:

Echo y| cacls "%windir%system32t2embed.dll" /E /P everyone:N

Echo y| cacls "%windir%syswow64t2embed.dll" /E /P everyone:N

Microsoft said in its advisory that although the overall effect of the vulnerability is low thus far, it has been used in some targeted attacks by the Duqu malware.

“Microsoft is investigating a vulnerability in a Microsoft Windows component, the Win32k TrueType font parsing engine. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time.,” the advisory says.

The company said it is monitoring the ongoing attacks and is aware that the kind and prevalence of the attacks could change quickly, so it is recommending that users install the workaround now and then the patch when it is available.

“Finally, given our ability to detect exploit attempts for this issue, we are able to closely monitor the threat landscape and will notify customers if we see any indication of increased risk. As previously stated, the risk for customers remains low. However, that is subject to change so we encourage customers to either apply the workaround or ensure their anti-malware vendor has added new signatures based on the information we’ve provided them to ensure protections are in place for this issue,” Microsoft’s Jerry Bryant said in a blog post.