Microsoft acknowledges Duqu exploit threat

Redmond has published a fresh security advisory (2639658) to address a Windows kernel vulnerability (CVE-2011-3402) exploited by Duqu malware.

Microsoft traced the flaw to the processing of embedded True Type Fonts (TTFs), which could be used by an attacker to “install programs; view, change, or delete data; or create new accounts with full user rights.”

As Chester Wisniewski of Sophos Security notes, Duqu is a “pretty serious bug,” as it facilitates unauthorized remote code execution (RCE) and elevation of privilege (EoP).

“[Yes], Microsoft is working diligently to provide a patch, but it is unlikely we will see it in this Tuesday’s update from the software giant,” said Wisniewski.  

“They are simply committing to providing a quality fix whether that is in an out-of-cycle update or in the December Patch Tuesday.”

In the meantime, Redmond is offering a FixIt download tool coded to disable support for embedded TTFs to provide protection against the flaw.

Still, Wisniewski cautions that FixIt will inevitably prevent any app that relies on embedded TTFs from rendering properly – which is a common practice in Office docs, browsers and viewers.

“I expect Microsoft won’t waste too much time getting a fix out for this one, and the risk of being exploited through this bug is extremely low for most organizations,” he added.

For its part, Microsoft pledged to closely monitor the threat landscape and  said it was ready to alert

customers if any indication of increased risk is identified.

“As previously stated, the risk for customers remains low,” Microsoft rep Jerry Bryant wrote in a security blog post.

“However, that is subject to change so we encourage customers to either apply the workaround or ensure their anti-malware vendor has added new signatures based on the information we’ve provided them to ensure protections are in place for this issue.”