Microsoft reveals flaw Duqu exploits, issues awkward workaround
Quick-fix shuts off Duqu installer, but turns off some fonts, too. Real patch still on the way
Experts predicted yesterday that Microsoft wouldn't have a patch for the Windows flaw the new super-malware Duqu uses to insinuate itself into the core of Windows systems.
According to a Microsoft Security Advisory published yesterday, the unknown flaw Duqu exploits is in a code library called T2embed.dll – a Win32K module that renders True Type fonts.
T2embed.dll is a font library that that has been part of the OS since Windows98; it embeds True Type fonts within Windows itself rather than running them separately as was the case previously.
Font-rendering utilities seem like an odd place to find an easy way past all the other safeguards and security measures Microsoft has built into Windows, especially during the past few years.
Rendering fonts smoothly on computers that display things in tiny, square pixels is resource-intensive, however.
So it makes sense that Microsoft built the module that does that work into a spot as close to the core of the Windows OS as possible. Even tiny lags in performance in font rendering translate into big lags in application performance because every page of every app every user needs has to be rendered (quickly) thousands of times per session.
Duqu's installer attaches to the .dll and takes on many of its attributes, including the .dll's right to run code with the same rights and priorities as the Windows kernel itself.
"An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time. This vulnerability is related to the Duqu malware... The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must open an attachment that is sent in an e-mail message." – Microsoft Security Advisory Nov. 3, 2011
Microsoft's workaround doesn't fix the vulnerability directly; it shuts off T2embed.dll instead. That shuts the door on Duqu, but also makes those fonts unavailable to apps or documents that currently assume they'll be available.
There are actually two files in the workaround: one to shut off T2embed.dll and the other to turn it back on again.
Keep in mind that Microsoft's labeling may be confusing. The first FixIt, marked "Enable" turns I the workaround, which turns off T2embed.dll.
The FixIt marked "Disable" turns off the workaround, which turns T2embed.dll back on, giving you back your fonts and making you vulnerable to the Duqu installer again.
- The first workaround Microsoft Fix It 507092 turns off the T2embed.dll The second workaround turns the True Type feature back on, in case having it shut off causes problems with your system.
- The FixIt that turns T2embed.dll and your fonts back on is number 50793.
Both are formatted in the easy-to-use Microsoft FixIt format – which automates changes to the registry, registration or deregistration of .DLLs, eliminates corrupted Registry entries and other often complex repairs.
The workarounds are quick work from Microsoft, but not a complete solution.
The Security update promises quick action and quick distribution for a final patch as well, but offered no estimate of how long the delay may be.
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.