We have written already about Stuxnet v2 or TR/Duqu and we mentioned that Avira detects it TR/Spy.Duqu.A and TR/Duqu.A.1.
This malware uses a vulnerability in a Microsoft Windows component, the TrueType font parsing engine. The vulnerability is caused when the Windows kernel-mode driver win32k.sys fails to properly handle the TrueType font type.
An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time.
Win32k.sys is a kernel-mode device driver and exists in the kernel of the Windows subsystem. It contains the window manager, which controls window displays; manages screen output; collects input from the keyboard, mouse, and other devices; and passes user messages to applications. It also contains the Graphics Device Interface (GDI), which is a library of functions for graphics output devices. Finally, it serves as a wrapper for DirectX support that is implemented in another driver (dxgkrnl.sys).
What to do ?
Microsoft is still working on a final solution, but currently there is nothing which can be automatically applied. The workarounds published in the Security Advisory (2639658) are available separately for Windows XP and Vista and above.
Note that there is a catch by applying this workaround: applications that rely on embedded font technology will fail to display properly.
Of course, since you have to do this by your own, Microsoft doesn’t guarantee anything.
It is highly improbably that you will get infected by not patching this vulnerability since all antivirus solution currently detect the malicious files. If you don’t have an antivirus installed then please get one here. This is why we advise not to play with this workaround since you could do more damage than good.
Sorin Mustaca
Leave a reply
