While a security update for the Critical zero-day vulnerability in Windows kernel exploited by the Duqu malware is not yet available, Microsoft has reacted quite fast to enable customers to at least deploy a temporary solution until it releases an official patch.The automatic fix currently being offered to all Windows users comes to introduce a workaround capable of blocking Duqu from exploiting the TrueType Font Parsing Vulnerability (CVE-2011-3402).
The security hole resides in the Win32k TrueType font parsing engine, and is caused when a Windows kernel-mode driver handles the TrueType font type improperly, Microsoft explained.
“An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” the software giant said.
“We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time. This vulnerability is related to the Duqu malware.”
The Microsoft Security Advisory (2639658) and KB 2639658 have been published on November 3, 2011 to provide additional information to customers, guidance on how to protect themselves against potential attacks and the workaround the Redmond company put together.
“To make it easy for customers to install, we have released a Fix it that will allow one-click installation of the workaround and an easy way for enterprises to deploy,” the software giant said.
Customers looking to render Duqu incapable of exploiting the Critical 0-day TrueType Font Parsing vulnerability need to install Microsoft Fix it 50792.
“When you run the Enable fix it solution, the workaround denies the system access to the T2embed.dll file,” the company informs.
The software giant is also supplying Microsoft Fix it 50793 to disable the changes introduced by Microsoft Fix it 50792.
The Fix it automatic solution is a viable workaround that can be deployed until Microsoft patches the TrueType Font Parsing security issue. According to the company, a security update won’t be released next week with the rest of its monthly patches for November.
“Given our ability to detect exploit attempts for this issue, we are able to closely monitor the threat landscape and will notify customers if we see any indication of increased risk,” revealed Jerry Bryant, group manager, Response Communications Trustworthy Computing Group.
“As previously stated, the risk for customers remains low. However, that is subject to change so we encourage customers to either apply the workaround or ensure their anti-malware vendor has added new signatures based on the information we’ve provided them to ensure protections are in place for this issue.”