When Duqu, which most believed to be written by the same group that wrote Stuxnet, was originally uncovered, the infection vector was still unknown; how did the machines get compromised in the first place? That changed when the Hungarian research lab, CrySys, announced that it had found the dropper which was a Word file that used a new 0-day vulnerability in how Windows parses TrueType fonts.
Microsoft has confirmed that there is indeed a vulnerability in TrueType Font parsing. An attacker could use this vulnerability to run arbitrary code in kernel mode. Vulnerabilities that allow the attacker to run code directly in kernel mode are very rare, and the attacker could, for example, create new user accounts with full access rights. More information is available from Microsoft in Security Advisory 2639658.
Microsoft has also released a Fix-It tool that will temporarily mitigate any attack using this vulnerability.
Websense, as an active member of the Microsoft MAPP program, has worked with Microsoft to develop protection for our customers. Our security solution will block as “Malicious Web Sites” any attempts to download a file containing an exploit that uses this vulnerability:
Block message when trying to download a file exploiting CVE-2011-3402
Websense will continue to work closely with Microsoft and the security community to monitor this prevalent threat.
Leave a reply