Share

Related Links

  • M86 Security
  • Reed Exhibitions Ltd is not responsible for the content of external websites.

Top 5 Stories

News

Duqu-linked privilege flaw discovered in Windows

09 November 2011

Microsoft has issued an advisory about a TrueType font parsing flaw that could be used to elevate privileges on a Windows-based system. The bad news, says M86 Security, is that the Duqu-related flaw has already been spotted in the wild, although Microsoft says it is still investigating the issue.

The Redmond software giant says that an attacker who successfully exploits this vulnerability could run arbitrary code in kernel mode, allowing them to “install programs; view, change, or delete data; or create new accounts with full user rights.”

“We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time. This vulnerability is related to the Duqu malware”, said Microsoft in its advisory, adding that it may include an update in its monthly Patch Tuesday process.

Ziv Mador, a security researcher with M86 Security's Israel operation, has picked up on the security issue and, while he said that only a handful of targeted attacks have been found, the issue affects most Windows versions, including Windows 7.

“An attack involves a file which has a maliciously crafted TrueType font file (TTF) embedded in it. There are several file formats that use TrueType fonts, for example, file formats of Microsoft Office and Adobe Acrobat Reader. In the currently known targeted attacks, a Microsoft Word document was used”, he wrote in his latest security posting.

Once rendered on a vulnerable system, Mador reports that parsing the TTF file may end up with execution of malicious code. The good news, he noted, is that Microsoft has issued a FixIt tool as a workaround.

The tool, he said, disables access to the system file T2embed.dll in order to avoid TrueType font processing, although he adds that applications that use these fonts may break after the workaround is deployed.

“In the known attacks, the installed malware is known as Duqu. The Laboratory of Cryptography and System Security (CrySyS) at Budapest University first reported these attacks and they were thoroughly investigated by that team”, he concluded.

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×