Microsoft squashes Duqu threat with Windows patch

@ 2011/12/14
A month after releasing a temporary workaround to block malware exploiting a Windows kernel vulnerability, Microsoft today issued a patch for all supported releases of Windows aimed at putting an end to attacks based on the Duqu worm.

Duqu, reminiscent of last year's Stuxnet threat, has reportedly been used in Europe, Iran, Sudan, and the United States. The attacks exploited a vulnerability in Windows' TrueType font engine, letting hackers gain access to the Windows kernel and run shell code, providing the ability to install programs, manipulate data, or create new accounts with full user rights. Last month, Microsoft issued a temporary workaround shutting off access to the dynamic link library that allows applications to display TrueType fonts, at the expense of displaying the fonts correctly.

Today's patch eliminates the need for a workaround, fixing the code in all supported versions of Windows XP, Windows Vista, Windows 7, and Windows Server 2003 and 2008. While not mentioning Duqu by name, Microsoft described it as a fix for a "Vulnerability in Windows Kernel-Mode Drivers" and said, "The vulnerability could allow remote code execution if a user opens a specially crafted document or visits a malicious Web page that embeds TrueType font files... The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically."

The patch came on Microsoft's regularly scheduled Patch Tuesday, which included 13 security bulletins addressing 19 vulnerabilities in Windows, Office, and Internet Explorer. Four patches, including the Windows kernel one, require a restart, while all others come with the possibility of a restart. Three, also including the kernel patch, are rated critical. One other critical patch addresses a flaw that could allow remote code execution if a user views a specially crafted webpage in Internet Explorer, with the patch including kill bits for four third-party ActiveX controls. The other critical patch targets a vulnerability in Windows media Player and Media Center that could allow remote code execution if a user opens a specially crafted video file.

Microsoft originally planned to issue 14 bulletins, rather than 13, but one was delayed because it would have broken an application shipped by an unnamed "major third-party vendor." "We’re currently working with that vendor to address the issue on their platform, after which we’ll issue the bulletin as appropriate," Microsoft said. With today's bulletins marking the last Patch Tuesday of the year, Microsoft said it has issued 99 bulletins in 2011, with critical bulletins account for 32 percent, a lower number in percentage and absolute terms than in most previous years.

UPDATE: It turns out the patch left out of this month's batch is for BEAST, or "Browser Exploit Against SSL/TLS," and it was scratched because of incompatibility with an SAP application, Computerworld reports. We posted a story on BEAST a few months back.

No comments available.