Microsoft have posted security advisory 2639658 to address the recently disclosed Windows kernel vulnerability (CVE-2011-3402) exploited by the Duqu malware.
Microsoft has determined the flaw is in the processing of embedded True Type Fonts (TTFs). According to Microsoft:
“The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
That’s a pretty serious bug. In the terms security professionals usually use that means it has the ability for remote code execution (RCE) and elevation of privilege (EoP).
Microsoft is working diligently to provide a patch, but it is unlikely we will see it in this Tuesday’s update from the software giant. They are simply committing to providing a quality fix whether that is in an out-of-cycle update or in the December Patch Tuesday.
Microsoft has offered a FixIt download tool that will disable support for embedded TTFs to provide protection against the flaw.
The problem with that is it will prevent any applications that rely on embedded TTFs from rendering properly. This is a common practice in Microsoft Office documents, browsers and document viewers.
I expect Microsoft won’t waste too much time getting a fix out for this one, and the risk of being exploited through this bug is extremely low for most organizations.
As SophosLabs further analyzes this threat we will post updates here on Naked Security.
Leave a reply
