Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Microsoft Details Duqu Workaround

Patch Tuesday next week won't have a fix for the newly discovered zero-day vulnerability, but Microsoft says it will deliver one as soon as it can.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Microsoft on Thursday confirmed the existence of a new Windows zero-day vulnerability and said it's investigating the flaw and will patch it as soon as possible.

Existence of the previously unknown vulnerability surfaced after researchers began studying the recently discovered Duqu malware, which appears to have been designed to steal industrial control design documents. By exploiting the zero-day vulnerability, the industrial espionage malware would have the ability to infect Windows PCs without being detected.

Microsoft said the zero-day vulnerability exploited by Duqu involves a font parsing flaw in the TrueType engine in 32-bit versions of Windows. "An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," according to Microsoft's security advisory.

[ Learn more. Read What Is Duqu Up To? ]

"That's a pretty serious bug," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post. "In the terms security professionals usually use that means it has the ability for remote code execution and elevation of privilege."

One piece of good news is that the vulnerability can't be automatically exploited--for example, simply by receiving a malicious email--but would require some user interaction. "For an attack to be successful, a user must open an attachment that is sent in an email message," said Microsoft. At that point, however, the malware could be detected, blocked, and eliminated by antivirus engines.

In lieu of an outright fix, Microsoft has detailed a workaround, which involves disabling support for embedded TrueType fonts. Microsoft's advisory includes a link to a "fix it" tool, which will disable system access to the vulnerable operating system component, which is the T2embed.dll file. "We recommend applying the workaround, but organizations should explore the impact that the diminished rendering capacity will have on normal document processing and Web browsing," said Wolfgang Kandek, CTO of Qualys, in a blog post.

As that suggests, the workaround may cause Microsoft Office applications to incorrectly render documents with embedded TrueType fonts. Microsoft said that it will release a patch as soon as it can develop one, meaning it could come packaged as part of its December set of patch releases, or even sooner via an out-of-band patch.

A fix for the flaw won't, however, be part of next week's monthly set of patch releases. On Thursday, Microsoft announced that it will release patches for four bugs involving Vista, Windows 7, Windows XP, Server 2003 SP2, and 2008 Server R2. Only one of the patches is rated as critical, meaning that it could be remotely exploited without user intervention. Per normal practice, Microsoft won't detail the exact products to be patched, or the flaws in question, until it releases the actual patches.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16966
PUBLISHED: 2019-10-21
An issue was discovered in Contactmanager 13.x before 13.0.45.3, 14.x before 14.0.5.12, and 15.x before 15.0.8.21 for FreePBX 14.0.10.3. In the Contactmanager class (html\admin\modules\contactmanager\Contactmanager.class.php), an unsanitized group variable coming from the URL is reflected in HTML on...
CVE-2019-9491
PUBLISHED: 2019-10-21
Trend Micro Anti-Threat Toolkit (ATTK) versions 1.62.0.1218 and below have a vulnerability that may allow an attacker to place malicious files in the same directory, potentially leading to arbitrary remote code execution (RCE) when executed.
CVE-2019-16964
PUBLISHED: 2019-10-21
app/call_centers/cmd.php in the Call Center Queue Module in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated attackers (with at least the permission call_center_queue_add or call_center_queue_edit) to execute any comma...
CVE-2019-16965
PUBLISHED: 2019-10-21
resources/cmd.php in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute any commands on the host as www-data.
CVE-2019-18203
PUBLISHED: 2019-10-21
On the RICOH MP 501 printer, HTML Injection and Stored XSS vulnerabilities have been discovered in the area of adding addresses via the entryNameIn and KeyDisplay parameter to /web/entry/en/address/adrsSetUserWizard.cgi.