14 DAY TRIAL // Even though the vulnerability leveraged by the Duqu malware was addressed five months ago, Microsoft found that the same piece of code was being utilized in other products. As a result, the May 2012 security bulletins issued by the company fix a number of applications that contained the code.
The security hole existed due to an insufficient bounds check in win32k.sys, in the way it handled True Type font (TTF) parsing. The troublesome piece of code from this particular file was present in gdiplus.dll, a library used by a number of third-party applications, especially web browsers.
Microsoft Office, Silverlight, and Windows Journal also parsed fonts using the same code, making them all vulnerable.
“The Office document attack vector leveraged by the Duqu malware was addressed by MS11-087 – Duqu is no longer able to exploit that vulnerability after applying the security update. However, we wanted to be sure to address the vulnerable code wherever it appeared across the Microsoft code base,” Jonathan Ness of MSRC Engineering wrote.
“To that end, we have been working with Microsoft Research to develop a ‘Cloned Code Detection’ system that we can run for every MSRC case to find any instance of the vulnerable code in any shipping product. This system is the one that found several of the copies of CVE-2011-3402 that we are now addressing with MS12-034.”
Because of the large number of products affected by the TTF issue, it appears that the number of addressed vulnerabilities in the MS12-034 bulletin is high.
However, most of the fixes are designed for the same flaw, but because different products are affected, a separate CVE was associated to each of those flaws.
As always, users are advised to immediately apply the latest security updates to ensure the safety of their devices.