Microsoft today has releases a security advisory to give customers “guidance for the Windows kernel issue related to the Duqu malware”.
The advisory describes a vulnerability in TrueType font parsing that could allow elevation of privileges. Attackers who manage to exploit the vulnerability can run arbitrary code in kernel mode which would allow them to install programs, “view, change or delete data” and create new accounts with “full user rights”.
Microsoft confirms that targeted attacks are carried out currently that use the vulnerability. The overall impact is however rated as low.
Microsoft is offering a manual workaround for affected versions of Windows on the security advisory page:
On Windows XP and Windows Server 2003:
For 32-bit systems, enter the following command at an administrative command prompt:
Echo y| cacls “%windir%\system32\t2embed.dll” /E /P everyone:N
For 64-bit systems, enter the following command from an administrative command prompt:
Echo y| cacls “%windir%\system32\t2embed.dll” /E /P everyone:N
Echo y| cacls “%windir%\syswow64\t2embed.dll” /E /P everyone:N
On Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2:
For 32-bit systems, enter the following command at an administrative command prompt:
Takeown.exe /f “%windir%\system32\t2embed.dll”
Icacls.exe “%windir%\system32\t2embed.dll” /deny everyone:(F)
For 64-bit systems, enter the following command at an administrative command prompt:
Takeown.exe /f “%windir%\system32\t2embed.dll”
Icacls.exe “%windir%\system32\t2embed.dll” /deny everyone:(F)
Takeown.exe /f “%windir%\syswow64\t2embed.dll”
Icacls.exe “%windir%\syswow64\t2embed.dll” /deny everyone:(F)
The workaround may impact applications that “rely on embedded font technologies”.
The workaround can be undone again the following way:
On Windows XP and Windows Server 2003:
For 32-bit systems, enter the following command at an administrative command prompt:
cacls “%windir%\system32\t2embed.dll” /E /R everyone
For 64-bit systems, enter the following command at an administrative command prompt:
cacls “%windir%\system32\t2embed.dll” /E /R everyone
cacls “%windir%\syswow64\t2embed.dll” /E /R everyone
On Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2:
For 32-bit systems, enter the following command at an administrative command prompt:
Icacls.exe %WINDIR%\system32\t2embed.DLL /remove:d everyone
For 64-bit systems, enter the following command at an administrative command prompt:
Icacls.exe %WINDIR%\system32\t2embed.DLL /remove:d everyone
Icacls.exe %WINDIR%\syswow64\t2embed.DLL /remove:d everyone
Microsoft furthermore has released a fix it solution that users can run on their system to protect it from the security vulnerability
The fix it can be downloaded from the following Microsoft Knowledge Base article.
Please note that there is a fix-it for enabling and one for disabling the workaround.
