Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Microsoft Details Duqu Workaround

Patch Tuesday next week won't have a fix for the newly discovered zero-day vulnerability, but Microsoft says it will deliver one as soon as it can.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Microsoft on Thursday confirmed the existence of a new Windows zero-day vulnerability and said it's investigating the flaw and will patch it as soon as possible.

Existence of the previously unknown vulnerability surfaced after researchers began studying the recently discovered Duqu malware, which appears to have been designed to steal industrial control design documents. By exploiting the zero-day vulnerability, the industrial espionage malware would have the ability to infect Windows PCs without being detected.

Microsoft said the zero-day vulnerability exploited by Duqu involves a font parsing flaw in the TrueType engine in 32-bit versions of Windows. "An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," according to Microsoft's security advisory.

[ Learn more. Read What Is Duqu Up To? ]

"That's a pretty serious bug," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post. "In the terms security professionals usually use that means it has the ability for remote code execution and elevation of privilege."

One piece of good news is that the vulnerability can't be automatically exploited--for example, simply by receiving a malicious email--but would require some user interaction. "For an attack to be successful, a user must open an attachment that is sent in an email message," said Microsoft. At that point, however, the malware could be detected, blocked, and eliminated by antivirus engines.

In lieu of an outright fix, Microsoft has detailed a workaround, which involves disabling support for embedded TrueType fonts. Microsoft's advisory includes a link to a "fix it" tool, which will disable system access to the vulnerable operating system component, which is the T2embed.dll file. "We recommend applying the workaround, but organizations should explore the impact that the diminished rendering capacity will have on normal document processing and Web browsing," said Wolfgang Kandek, CTO of Qualys, in a blog post.

As that suggests, the workaround may cause Microsoft Office applications to incorrectly render documents with embedded TrueType fonts. Microsoft said that it will release a patch as soon as it can develop one, meaning it could come packaged as part of its December set of patch releases, or even sooner via an out-of-band patch.

A fix for the flaw won't, however, be part of next week's monthly set of patch releases. On Thursday, Microsoft announced that it will release patches for four bugs involving Vista, Windows 7, Windows XP, Server 2003 SP2, and 2008 Server R2. Only one of the patches is rated as critical, meaning that it could be remotely exploited without user intervention. Per normal practice, Microsoft won't detail the exact products to be patched, or the flaws in question, until it releases the actual patches.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-11
An issue was discovered in the BSON ObjectID (aka bson-objectid) package 1.3.0 for Node.js. ObjectID() allows an attacker to generate a malformed objectid by inserting an additional property to the user-input, because bson-objectid will return early if it detects _bsontype==ObjectID in the user-inpu...
PUBLISHED: 2019-12-11
An issue was discovered in Squiz Matrix CMS 5.5.0 prior to, 5.5.1 prior to, 5.5.2 prior to, and 5.5.3 prior to where a user can trigger arbitrary unserialization of a PHP object from a packages/cms/page_templates/page_remote_content/page_remote_content.inc POST parame...
PUBLISHED: 2019-12-11
An issue was discovered in core/assets/form/form_question_types/form_question_type_file_upload/form_question_type_file_upload.inc in Squiz Matrix CMS 5.5.0 prior to, 5.5.1 prior to, 5.5.2 prior to, and 5.5.3 prior to where a user can delete arbitrary files from the se...
PUBLISHED: 2019-12-11
SQL injection vulnerability in DBD::PgPP 0.05 and earlier
PUBLISHED: 2019-12-11
includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-s...