Existence of the previously unknown vulnerability surfaced after researchers began studying the recently discovered Duqu malware, which appears to have been designed to steal industrial control design documents. By exploiting the zero-day vulnerability, the industrial espionage malware would have the ability to infect Windows PCs without being detected.
Microsoft said the zero-day vulnerability exploited by Duqu involves a font parsing flaw in the TrueType engine in 32-bit versions of Windows. "An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," according to Microsoft's security advisory.
[ Learn more. Read What Is Duqu Up To? ]
"That's a pretty serious bug," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post. "In the terms security professionals usually use that means it has the ability for remote code execution and elevation of privilege."
One piece of good news is that the vulnerability can't be automatically exploited--for example, simply by receiving a malicious email--but would require some user interaction. "For an attack to be successful, a user must open an attachment that is sent in an email message," said Microsoft. At that point, however, the malware could be detected, blocked, and eliminated by antivirus engines.
In lieu of an outright fix, Microsoft has detailed a workaround, which involves disabling support for embedded TrueType fonts. Microsoft's advisory includes a link to a "fix it" tool, which will disable system access to the vulnerable operating system component, which is the T2embed.dll file. "We recommend applying the workaround, but organizations should explore the impact that the diminished rendering capacity will have on normal document processing and Web browsing," said Wolfgang Kandek, CTO of Qualys, in a blog post.
As that suggests, the workaround may cause Microsoft Office applications to incorrectly render documents with embedded TrueType fonts. Microsoft said that it will release a patch as soon as it can develop one, meaning it could come packaged as part of its December set of patch releases, or even sooner via an out-of-band patch.
A fix for the flaw won't, however, be part of next week's monthly set of patch releases. On Thursday, Microsoft announced that it will release patches for four bugs involving Vista, Windows 7, Windows XP, Server 2003 SP2, and 2008 Server R2. Only one of the patches is rated as critical, meaning that it could be remotely exploited without user intervention. Per normal practice, Microsoft won't detail the exact products to be patched, or the flaws in question, until it releases the actual patches.