Microsoft Working on Duqu Fix; Workaround Out

Friday, November 4, 2011 @ 01:11 PM gHale

When it comes to zero day vulnerabilities, you want a patch quick, but you also want it done right.

That is why Microsoft is looking into a reported zero day vulnerability in Windows used by the Duqu malware to spread, but isn’t committing to a patch for this month’s scheduled update. In the meantime, it offered a workaround.

Duqu Installer Exploits a Zero Day
Looking for Duqu’s Real Target
ICS Threat Brewing; Target Unclear
Old Becomes New: DLL Loading is Back

“Microsoft is collaborating with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware,” the company said in a statement attributed to Jerry Bryant of the company’s Trustworthy Computing effort. “We are working diligently to address this issue and will release a security update for customers through our security bulletin process.”

Anti malware firms have been tracking Duqu – a variant of the Stuxnet worm — since mid October, after the CrySyS Lab at the Budapest University of Technology and Economics discovered it.

It took almost a month until researchers analyzing the malware found an installer program for the Trojan horse malware includes an exploit for a previously unknown vulnerability in the Windows kernel. The vulnerability allows remote code execution on vulnerable systems.

Symantec researchers found the installer uses the zero day to gain a foothold in an organization. The attackers then command it to spread to other computers on the infected network.

Analysis by Kaspersky Lab researchers found the malware has shown up on servers in Iran and Sudan, as well as India, where authorities confiscated Duqu-infected systems last week.

Microsoft did release a workaround for the Windows kernel zero-day vulnerability.

In an advisory issued Thursday night, Microsoft security officials said that the flaw is in the TrueType font parsing engine in Windows. The FixIt tool that Microsoft released Thursday automatically applies the workaround the company suggests in its security advisory on the Windows kernel flaw.

To apply the workaround manually, users of 32-bit systems can enter the following at the command prompt:

Echo y| cacls “%windir%\system32\t2embed.dll” /E /P everyone:N

For 64-bit systems, users should enter this at the command prompt:

Echo y| cacls “%windir%\system32\t2embed.dll” /E /P everyone:N

Echo y| cacls “%windir%\syswow64\t2embed.dll” /E /P everyone:N

Microsoft said in its advisory although the overall effect of the vulnerability is low thus far, it has been used in some targeted attacks by the Duqu malware.

Leave a Reply

You must be logged in to post a comment.