The Latest in IT Security

Microsoft publishes a workaround for Duqu Malware

04
Nov
2011

We have written already about Stuxnet v2 or TR/Duqu and we mentioned that Avira detects it TR/Spy.Duqu.A and TR/Duqu.A.1.

This malware uses a vulnerability in a Microsoft Windows component, the TrueType font parsing engine. The vulnerability is caused when the Windows kernel-mode driver win32k.sys fails to properly handle the TrueType font type.

An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time.

Win32k.sys is a kernel-mode device driver and exists in the kernel of the Windows subsystem. It contains the window manager, which controls window displays; manages screen output; collects input from the keyboard, mouse, and other devices; and passes user messages to applications. It also contains the Graphics Device Interface (GDI), which is a library of functions for graphics output devices. Finally, it serves as a wrapper for DirectX support that is implemented in another driver (dxgkrnl.sys).

What to do ?

Microsoft is still working on a final solution, but currently there is nothing which can be automatically applied. The workarounds published in the Security Advisory (2639658) are available separately for Windows XP and Vista and above.

Note that there is a catch by applying this workaround: applications that rely on embedded font technology will fail to display properly.

Of course, since you have to do this by your own, Microsoft doesn’t guarantee anything.

It is highly improbably that you will get infected by not patching this vulnerability since all antivirus solution currently detect the malicious files. If you don’t have an antivirus installed then please get one here. This is why we advise not to play with this workaround since you could do more damage than good.

 

Sorin Mustaca

Data Security Expert

Leave a reply


Categories

SUNDAY, SEPTEMBER 22, 2019
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments

Social Networks