November 04, 2011, 12:08 PM — Experts predicted yesterday that Microsoft wouldn't have a patch for the Windows flaw the new super-malware Duqu uses to insinuate itself into the core of Windows systems.
According to a Microsoft Security Advisory published yesterday, the unknown flaw Duqu exploits is in a code library called T2embed.dll – a Win32K module that renders True Type fonts.
T2embed.dll is a font library that that has been part of the OS since Windows98; it embeds True Type fonts within Windows itself rather than running them separately as was the case previously.
Font-rendering utilities seem like an odd place to find an easy way past all the other safeguards and security measures Microsoft has built into Windows, especially during the past few years.
Rendering fonts smoothly on computers that display things in tiny, square pixels is resource-intensive, however.
So it makes sense that Microsoft built the module that does that work into a spot as close to the core of the Windows OS as possible. Even tiny lags in performance in font rendering translate into big lags in application performance because every page of every app every user needs has to be rendered (quickly) thousands of times per session.
Duqu's installer attaches to the .dll and takes on many of its attributes, including the .dll's right to run code with the same rights and priorities as the Windows kernel itself.
"An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time. This vulnerability is related to the Duqu malware... The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must open an attachment that is sent in an e-mail message." – Microsoft Security Advisory Nov. 3, 2011