Support in other languages: 
Showing results for 
Search instead for 
Do you mean 
Reply
Microsoft MVP
Corrine
Posts: 66
Registered: ‎11-03-2011
Location: Upstate, NY

Security Advisory 2639658 and Microsoft Fix it (Duqu Trojan)

[ Edited ]

Microsoft Security Advisory, Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege, relates to a Windows kernel issue related to the Duqu malware, a trojan that injects malicious code into other processes.  An update is not expected to be ready for delivery with the scheduled November update.  A Microsoft Fix it solution is available from Microsoft Microsoft KB Article 2639658

(A few additional details and informational links are available in my article at  Microsoft Fix it for Duqu Malware, Security Advisory 2639658.)

Microsoft MVP, Consumer Security
Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!
Twitter: http://twitter.com/SecurityGarden
Security Information and Malware Removal @LandzDown Forum
Bugbatter
Posts: 805
Registered: ‎05-01-2010
Location: USA

Re: Security Advisory 2639658 and Microsoft Fix it (Duqu Trojan)

Symantec has posted:  "Duqu: Status Updates Including Installer with Zero-Day Exploit Found" that includes a link to Microsoft's advisory and to the workaround for the zero-day vulnerability identified as one Duqu infection vector.
http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit


If you find a post helpful and it answers your question, please click the "Accept As Solution" button.

Lenovo Advocate ~ I am not employed by Lenovo or Microsoft. I am a volunteer.

Microsoft MVP - Consumer Security

SpywareHammer

Microsoft MVP
Corrine
Posts: 66
Registered: ‎11-03-2011
Location: Upstate, NY

Re: Security Advisory 2639658 and Microsoft Fix it (Duqu Trojan)

The Symantec article also has a nice infographic.  (It is one of the additional references I referenced in my article.)

Another important point that I should have mentioned earlier is that Microsoft has provided MAPP partners (Microsoft Active Protections Program) the details for adding detection in their products.  That means A/V vendors should have signatures to detect and block attempts to exploit the vulnerability. 

Microsoft MVP, Consumer Security
Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!
Twitter: http://twitter.com/SecurityGarden
Security Information and Malware Removal @LandzDown Forum
Administrator
Mark_Lenovo
Posts: 8,026
Registered: ‎11-19-2007
Location: RTP, North Carolina
0

Re: Security Advisory 2639658 and Microsoft Fix it (Duqu Trojan)

Corrine,

 

Welcome to the forum!   Thank you both for sharing info on Duqu - great to have more security experts here in the community!

 

Best regards,

 

Mark

____________________________________________

ThinkPads: S30, T43, X60t, X1, W700ds, IdeaPad Y710, IdeaCentre: A300, IdeaPad K1
Mark Hopkins
Program Manager, Lenovo Social Media (Services)
twitter @lenovoforums
English English Community   Deutsche Deutsche Community   Español Comunidad en Español   ru.gif Русскоязычное Сообщество
Microsoft MVP
Corrine
Posts: 66
Registered: ‎11-03-2011
Location: Upstate, NY
0

Re: Security Advisory 2639658 and Microsoft Fix it (Duqu Trojan)

Thank you, Mark. I look forward to adding contributions along with the excellent information provided by long-time friends Bugbatter and Goretsky.
Microsoft MVP, Consumer Security
Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!
Twitter: http://twitter.com/SecurityGarden
Security Information and Malware Removal @LandzDown Forum
Microsoft MVP
Corrine
Posts: 66
Registered: ‎11-03-2011
Location: Upstate, NY

Re: Security Advisory 2639658 and Microsoft Fix it (Duqu Trojan)

After enabling Microsoft Fix it 50792, there have been reports of Microsoft updates KB 972270 (MS10-001: Vulnerability in the Embedded OpenType Font Engine could allow remote code execution) and KB 982132 (MS10-076: Vulnerability in the Embedded OpenType Font Engine could allow remote code execution) being repeatedly re-offered.

In the event you experience the same issue, after confirming in the update history that both updates are installed, I suggest that you enable the Fix it and then hide the updates when offered again.

To hide the updates, select the first update and then right-click the update and click "Hide Update." Repeat for the second update.

Microsoft MVP, Consumer Security
Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!
Twitter: http://twitter.com/SecurityGarden
Security Information and Malware Removal @LandzDown Forum
Bugbatter
Posts: 805
Registered: ‎05-01-2010
Location: USA

Re: Security Advisory 2639658 and Microsoft Fix it (Duqu Trojan)

[ Edited ]

Updated: Friday, November 11, 2011

 

Microsoft Security Advisory (2639658)
Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege

https://technet.microsoft.com/en-us/security/advisory/2639658


If you find a post helpful and it answers your question, please click the "Accept As Solution" button.

Lenovo Advocate ~ I am not employed by Lenovo or Microsoft. I am a volunteer.

Microsoft MVP - Consumer Security

SpywareHammer

Microsoft MVP
Corrine
Posts: 66
Registered: ‎11-03-2011
Location: Upstate, NY
0

Re: Security Advisory 2639658 and Microsoft Fix it (Duqu Trojan)

Thanks, Bugbatter!  I'm glad to see the Advisory was finally updated.

 

The change:  "V1.4 (November 11, 2011): Revised impact statement for the workaround, Deny access to T2EMBED.DLL, to address applications that rely on T2EMBED.DLL for functionality."

 

Impact of Workaround. 

  • Applications that rely on embedded font technology will fail to display properly.
  • After applying this workaround, users of Windows XP and Windows Server 2003 may be reoffered the KB982132 and KB972270 security updates. These reoffered updates will fail to install. The reoffering is a detection logic issue and users who have successfully applied both the KB982132 and KB972270 security updates previously can ignore the reoffer.
  • Applications with functionality that relies on T2EMBED.DLL, such as generating PDF files, may fail to work as expected. For example, Microsoft Office software will fail to generate PDF files. 

~~~~~~~~~~~~~

 

It was reported at one of the forums that running System File Checker with the Microsoft Fix it enabled results in it stopping at 16% and giving the message:

Cannot repair member file [l:22{11}]"t2embed.dll" of Microsoft-Windows-Font-Embedding

After disabling the Microsoft Fix it, System File Checker works again. That makes sense since the Fix it is taking ownership of t2embed.dll and then denying access to the dll: Takeown.exe /f "%windir%\system32\t2embed.dll" Icacls.exe "%windir%\system32\t2embed.dll" /deny *S-1-1-0:smileysad:F)

Microsoft MVP, Consumer Security
Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!
Twitter: http://twitter.com/SecurityGarden
Security Information and Malware Removal @LandzDown Forum