Microsoft Issues Temp Duqu Workaround

Microsoft has responded to the serious threat by the Duqu worm after it issued a temporary workaround, outside of its usual Patch Tuesday schedule.

In addition however Microsoft is also expected to release four bulletins in next week’s Patch Tuesday update, so as to close holes in all supported versions of the Windows operating system.

As expected, Microsoft did not release any information in this Patch Tuesday advisory about a possible fix for the zero-day vulnerability in the Windows kernel that is being exploited by the Duqu Trojan’s installer file. However, later in the day, the company issued a separate advisory with a temporary workaround for the flaw.

Kernel Flaw

The previously unknown flaw in the Win32k TrueType font-parsing engine affected every supported version of Windows, including Windows 7 and Windows Server 2008, Microsoft said in the 3 November advisory. The advisory was accompanied by a “Fix it” update that is designed to protect systems from being exploited via this bug, but was not a permanent patch to the flaw that is being exploited by Duqu.

The workaround implemented by Fix it essentially denies access to the dynamic link library that uses the embedded font technology. If the workaround is applied, applications that rely on embedded font technology will fail to display properly, Microsoft said. The vulnerability also cannot be exploited automatically through email, Microsoft said. For an attack to succeed, the user must open the attachment to launch the exploit.

If exploited successfully, an attacker would be able to run arbitrary code in kernel mode, according to the advisory. “The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft warned.

A permanent patch will be released at a later date as part of the company’s regular update schedule or as an out-of-band update, Microsoft said, without specifying any timelines.

Stuxnet Relation

Symantec and Hungarian research group Laboratory of Cryptography and System Security (CrySyS) had identified the vulnerability earlier this week while researching the Duqu Trojan, a new malware that has infected a handful of companies around the world. Security researchers are concerned about its capabilities and intended purpose because it shares a lot of code with the highly sophisticated Stuxnet worm.

The technical details of the vulnerability have already been shared with security vendors, according to Jerry Bryant, group manager at Microsoft’s Trustworthy Computing group. “This means that within hours, anti-malware firms will roll out new signatures that detect and block attempts to exploit this vulnerability,” Bryant wrote on a Microsoft Technet blog. Users should ensure their antivirus software is up-to-date to receive the latest signatures, he said.

Despite the sophisticated nature of Duqu, the threat of exploitation remained low, Bryant said. The installation file that has been uncovered thus far showed that Duqu was designed to install itself on to a system during a specific time period in August, and it uninstalled itself a little over a month later.

“However, that is subject to change so we encourage customers to either apply the workaround or ensure their anti-malware vendor has added new signatures based on the information we’ve provided them to ensure protections are in place for this issue,” Bryant said.

While the Duqu Trojan used a malicious Word document to exploit the vulnerability, it is a kernel exploit, meaning that other Microsoft and third-party products could be used to target the same security hole, according to Carey. Any attempts to fix it could also affect the core operating system.

Many organisations will not be affected by malware exploiting the issue, unless other malware authors discover the malware’s source code or the security hole. However, some organisations easily panic and could fall victim to social engineering attacks related to this vulnerability, according to Carey.

Light Patch Tuesday

As for the the upcoming Patch Tuesday release for November, Microsoft described it as light, with only four bulletins, all addressing issues in the Windows operating system, Microsoft said in its Patch Tuesday pre-notification announcement 3 November.

Microsoft rated only one of the patches as critical, but it affects the “newer” operating systems, Windows Vista, Windows 7 and Windows Server 2008 R2. Windows XP and Windows 2003 users are only affected by one bulletin, rated important.

The critical and one of the important patches address flaws that could result in remote-code-execution attacks. The other important bulletin fixed an elevation of privilege flaw and the final bulletin, rated moderate, could result in a denial-of-service attack if exploited. The critical one has an exploitability rating of only 3, suggesting that attackers are not likely to target the vulnerability, according to the pre-notification announcement.

“This is a Patch Tuesday that will give a break to many IT administrators,” said Wolfgang Kandek, CTO of Qualys.

The fact that some of the bulletins relate only to the later versions of the operating system seems to indicate that the flaws they address “were possibly introduced with Windows Vista,” Marcus Carey, security researcher from Rapid7, told eWEEK .

The November Patch Tuesday updates are expected to be released 8 November.