0

‘Duqu’ 0-day exploit gets a temporary fix

Tags: Stuxnet | Duqu | CVE-2011-3402 | kb2639658 | patch | 0-day | t2embed.dll | TTF | Win32

Akhil Menon

08/11/2011

Not long ago, the malware called Stuxnet made its foray into the world of Internet capturing people's attention. This was the first malware of its kind which embodied payload that impacted not only software running on infected machines but also affected attached Industrial processes. This malware's impact was very unique, targeted and revolutionary in nature. In September 2011, a new malware called 'Duqu' was discovered which appeared to be identical to Stuxnet and has been deemed as a precursor to the Stuxnet worm.

This malware comes contained in a malformed word document which is generally forwarded to the victim by email as an attachment. Microsoft reports suggest that the malware uses a 0-day exploit (CVE-2011-3402) vector associated with the Win32k TrueType font parsing engine. When the malicious document is opened, the exploit is triggered which allows remote malicious code execution with elevated privileges resulting in the malware infecting the machine. On successful infection, Microsoft claims that attacker can then view, modify or delete data or create user accounts with all privileges.


The file in concern with this exploit is T2EMBED.DLL (found in "system 32" folder) which is accessed by the Win32k TrueType font parsing engine during its function. The workaround in the form of two temporary patch binaries (http://support.microsoft.com/kb/2639658) provided by Microsoft currently which enables the fix or disables it. If fix is enabled, T2EMBED.DLL would be blocked from access and thereby fail the exploit. However this may hinder in the proper rendering of fonts on the machine.


A proper security update for this exploit is still awaited from Microsoft who is currently investigating the concern. Similar exploits associated with the Win32k TrueType font parsing engine and other system components have been previously patched and it surely does not appear that malware authors would stop finding newer and more sinister ways to ensure their creations cause damage.


Even though Microsoft claims the impact of this malware in the wild is less, this would be a good time for Network Administrators to deploy this one click fix on their managed machines until the proper security update arrives. On the other end, we have added detection and removal for the malware so the end customer is protected when the malware-laden email attachment is downloaded onto the machine. As always it is recommended to keep your security software up-to-date and exercise caution while downloading email attachments.