Showing results for 
Search instead for 
Do you mean 
Reply
Microsoft MVP
Posts: 66
Registered: ‎11-03-2011
Location: Upstate, NY
Message 1 of 8 (1,560 Views)

Security Advisory 2639658 and Microsoft Fix it (Duqu Trojan)

[ Edited ]

Microsoft Security Advisory, Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege, relates to a Windows kernel issue related to the Duqu malware, a trojan that injects malicious code into other processes.  An update is not expected to be ready for delivery with the scheduled November update.  A Microsoft Fix it solution is available from Microsoft Microsoft KB Article 2639658

(A few additional details and informational links are available in my article at  Microsoft Fix it for Duqu Malware, Security Advisory 2639658.)

Microsoft MVP, Consumer Security
Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!
Twitter: http://twitter.com/SecurityGarden
Security Information and Malware Removal @LandzDown Forum
Posts: 1,467
Registered: ‎05-01-2010
Location: US
Message 2 of 8 (1,553 Views)

Re: Security Advisory 2639658 and Microsoft Fix it (Duqu Trojan)

Symantec has posted:  "Duqu: Status Updates Including Installer with Zero-Day Exploit Found" that includes a link to Microsoft's advisory and to the workaround for the zero-day vulnerability identified as one Duqu infection vector.
http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit










English    Deutsche     Español     Português     Русскоязычное

If you find a post helpful and it answers your question, please click the "Accept As Solution" button.

I am not employed by Lenovo or Microsoft. I am a volunteer.

SpywareHammer





Microsoft MVP
Posts: 66
Registered: ‎11-03-2011
Location: Upstate, NY
Message 3 of 8 (1,524 Views)

Re: Security Advisory 2639658 and Microsoft Fix it (Duqu Trojan)

The Symantec article also has a nice infographic.  (It is one of the additional references I referenced in my article.)

Another important point that I should have mentioned earlier is that Microsoft has provided MAPP partners (Microsoft Active Protections Program) the details for adding detection in their products.  That means A/V vendors should have signatures to detect and block attempts to exploit the vulnerability. 

Microsoft MVP, Consumer Security
Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!
Twitter: http://twitter.com/SecurityGarden
Security Information and Malware Removal @LandzDown Forum
Posts: 8,592
Topics: 428
Kudos: 1,567
Solutions: 347
Registered: ‎11-19-2007
Location: US
Message 4 of 8 (1,506 Views)

Re: Security Advisory 2639658 and Microsoft Fix it (Duqu Trojan)

Corrine,

 

Welcome to the forum!   Thank you both for sharing info on Duqu - great to have more security experts here in the community!

 

Best regards,

 

Mark

Microsoft MVP
Posts: 66
Registered: ‎11-03-2011
Location: Upstate, NY
Message 5 of 8 (1,502 Views)

Re: Security Advisory 2639658 and Microsoft Fix it (Duqu Trojan)

Thank you, Mark. I look forward to adding contributions along with the excellent information provided by long-time friends Bugbatter and Goretsky.
Microsoft MVP, Consumer Security
Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!
Twitter: http://twitter.com/SecurityGarden
Security Information and Malware Removal @LandzDown Forum
Microsoft MVP
Posts: 66
Registered: ‎11-03-2011
Location: Upstate, NY
Message 6 of 8 (1,480 Views)

Re: Security Advisory 2639658 and Microsoft Fix it (Duqu Trojan)

After enabling Microsoft Fix it 50792, there have been reports of Microsoft updates KB 972270 (MS10-001: Vulnerability in the Embedded OpenType Font Engine could allow remote code execution) and KB 982132 (MS10-076: Vulnerability in the Embedded OpenType Font Engine could allow remote code execution) being repeatedly re-offered.

In the event you experience the same issue, after confirming in the update history that both updates are installed, I suggest that you enable the Fix it and then hide the updates when offered again.

To hide the updates, select the first update and then right-click the update and click "Hide Update." Repeat for the second update.

Microsoft MVP, Consumer Security
Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!
Twitter: http://twitter.com/SecurityGarden
Security Information and Malware Removal @LandzDown Forum
Posts: 1,467
Registered: ‎05-01-2010
Location: US
Message 7 of 8 (1,410 Views)

Re: Security Advisory 2639658 and Microsoft Fix it (Duqu Trojan)

[ Edited ]

Updated: Friday, November 11, 2011

 

Microsoft Security Advisory (2639658)
Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege

https://technet.microsoft.com/en-us/security/advisory/2639658










English    Deutsche     Español     Português     Русскоязычное

If you find a post helpful and it answers your question, please click the "Accept As Solution" button.

I am not employed by Lenovo or Microsoft. I am a volunteer.

SpywareHammer





Microsoft MVP
Posts: 66
Registered: ‎11-03-2011
Location: Upstate, NY
Message 8 of 8 (1,404 Views)

Re: Security Advisory 2639658 and Microsoft Fix it (Duqu Trojan)

Thanks, Bugbatter!  I'm glad to see the Advisory was finally updated.

 

The change:  "V1.4 (November 11, 2011): Revised impact statement for the workaround, Deny access to T2EMBED.DLL, to address applications that rely on T2EMBED.DLL for functionality."

 

Impact of Workaround. 

  • Applications that rely on embedded font technology will fail to display properly.
  • After applying this workaround, users of Windows XP and Windows Server 2003 may be reoffered the KB982132 and KB972270 security updates. These reoffered updates will fail to install. The reoffering is a detection logic issue and users who have successfully applied both the KB982132 and KB972270 security updates previously can ignore the reoffer.
  • Applications with functionality that relies on T2EMBED.DLL, such as generating PDF files, may fail to work as expected. For example, Microsoft Office software will fail to generate PDF files. 

~~~~~~~~~~~~~

 

It was reported at one of the forums that running System File Checker with the Microsoft Fix it enabled results in it stopping at 16% and giving the message:

Cannot repair member file [l:22{11}]"t2embed.dll" of Microsoft-Windows-Font-Embedding

After disabling the Microsoft Fix it, System File Checker works again. That makes sense since the Fix it is taking ownership of t2embed.dll and then denying access to the dll: Takeown.exe /f "%windir%\system32\t2embed.dll" Icacls.exe "%windir%\system32\t2embed.dll" /deny *S-1-1-0Smiley SadF)

Microsoft MVP, Consumer Security
Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!
Twitter: http://twitter.com/SecurityGarden
Security Information and Malware Removal @LandzDown Forum
Top Kudoed Authors
User Kudos Count
1
1
1