Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Microsoft Details Duqu Workaround

Patch Tuesday next week won't have a fix for the newly discovered zero-day vulnerability, but Microsoft says it will deliver one as soon as it can.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Microsoft on Thursday confirmed the existence of a new Windows zero-day vulnerability and said it's investigating the flaw and will patch it as soon as possible.

Existence of the previously unknown vulnerability surfaced after researchers began studying the recently discovered Duqu malware, which appears to have been designed to steal industrial control design documents. By exploiting the zero-day vulnerability, the industrial espionage malware would have the ability to infect Windows PCs without being detected.

Microsoft said the zero-day vulnerability exploited by Duqu involves a font parsing flaw in the TrueType engine in 32-bit versions of Windows. "An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," according to Microsoft's security advisory.

[ Learn more. Read What Is Duqu Up To? ]

"That's a pretty serious bug," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post. "In the terms security professionals usually use that means it has the ability for remote code execution and elevation of privilege."

One piece of good news is that the vulnerability can't be automatically exploited--for example, simply by receiving a malicious email--but would require some user interaction. "For an attack to be successful, a user must open an attachment that is sent in an email message," said Microsoft. At that point, however, the malware could be detected, blocked, and eliminated by antivirus engines.

In lieu of an outright fix, Microsoft has detailed a workaround, which involves disabling support for embedded TrueType fonts. Microsoft's advisory includes a link to a "fix it" tool, which will disable system access to the vulnerable operating system component, which is the T2embed.dll file. "We recommend applying the workaround, but organizations should explore the impact that the diminished rendering capacity will have on normal document processing and Web browsing," said Wolfgang Kandek, CTO of Qualys, in a blog post.

As that suggests, the workaround may cause Microsoft Office applications to incorrectly render documents with embedded TrueType fonts. Microsoft said that it will release a patch as soon as it can develop one, meaning it could come packaged as part of its December set of patch releases, or even sooner via an out-of-band patch.

A fix for the flaw won't, however, be part of next week's monthly set of patch releases. On Thursday, Microsoft announced that it will release patches for four bugs involving Vista, Windows 7, Windows XP, Server 2003 SP2, and 2008 Server R2. Only one of the patches is rated as critical, meaning that it could be remotely exploited without user intervention. Per normal practice, Microsoft won't detail the exact products to be patched, or the flaws in question, until it releases the actual patches.


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-06
The parse_report() function in whoopsie.c in Whoopsie through 0.2.69 mishandles memory allocation failures, which allows an attacker to cause a denial of service via a malformed crash file.
PUBLISHED: 2020-07-06
PlayerGeneric.cpp in MilkyTracker through 1.02.00 has a use-after-free in the PlayerGeneric destructor.
PUBLISHED: 2020-07-06
It's possible to inject JavaScript code via the html method.
PUBLISHED: 2020-07-06
It's possible to use <<script>script> in order to go over the filtering regex.
PUBLISHED: 2020-07-06
An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists.