Duqu Mitigation
There has been a lot of information published on Duqu over the past few days and it is likely exploiting a vulnerability in a Microsoft Windows component, the Win32k TrueType font parsing engine. Until a patch as been release to fix this vulnerability, the vulnerability cannot be exploited automatically via email unless the user open an attachment sent in an email message. The Microsoft advisory is posted here. US-CERT also posted a critical alert here and Symantec a whitepaper on the subject here.
[1] http://technet.microsoft.com/en-us/security/advisory/2639658
[2] http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-291-01E.pdf
[3] http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
Comments
However, "applications that rely on embedded font technology will fail to display properly."
Alex
Nov 4th 2011
1 decade ago
BradC
Nov 4th 2011
1 decade ago
How could an attacker exploit the vulnerability?
There are multiple means that could allow an attacker to exploit this vulnerability, including providing documents or convincing users to visit a Web page that embeds TrueType. The specially crafted TrueType font could then exploit the vulnerability.
So it looks to me like embedded TrueType in webpages is a distinct vector. I've checked both IE 7 and IE 9 and they both default to "Enabled" for Font Download for the Internet security zone. See http://msdn.microsoft.com/en-us/library/ms533034(v=vs.85).aspx for a discussion of Font Embedding in Internet Explorer, including various test pages you can use to verify the behavior (and probably also verify the workaround - I haven't gotten quite that far yet).
Anonymous
Nov 4th 2011
1 decade ago
I am really disappointed in MS as I suspect the poster above is correct.
Rodger
Nov 4th 2011
1 decade ago
dsh
Nov 5th 2011
1 decade ago
Removing the partial patch by MS Fix it 50793 same issue:
A script to complete the installation could not be processed. Contact your supportpersonal or supplier of the paket. Userdefined action: RUN_32_SETACL Scripterror -2147023170, : line62, column 5,
Elbe
Nov 7th 2011
1 decade ago
Looks Microsoft has to review and fix the Fix it and/or provide WSUS patch that works under all these scenarios.
ELBE
Nov 7th 2011
1 decade ago
ELBE
Nov 7th 2011
1 decade ago
As long as all users on the machine are in the Users group (either directly or indirectly), you can adjust the deny to affect the BUILTIN\Users group instead of NT AUTHORITY\Everyone. If you do that, then SYSTEM can still do scans (since it's a de facto member of the Administrators group, but not the Users group). I'm pivoting to that as a workaround. I'm not worrying about servers - one shouldn't be opening random files or websurfing from servers!
Anonymous
Nov 7th 2011
1 decade ago