November 4, 2011

Microsoft has released an advisory and a stopgap fix for the zero-day vulnerability exploited by the “Duqu” Trojan, a highly targeted malware strain that some security experts say could be the most important cyber espionage threat since Stuxnet.

According to the advisory, the critical vulnerability resides in most supported versions of Windows, including Windows XP, Vista and Windows 7. The problem stems from the way Windows parses certain font types. Microsoft says it is aware of targeted attacks exploiting this flaw, but that it believes few users have been affected.

Nevertheless, the flaw is a dangerous one. Microsoft said that an attacker who successfully exploited this vulnerability could run arbitrary code, install programs; view, change, or delete data; or create new accounts with full user rights. The most likely vehicle for the exploit is a poisoned email attachment.

Microsoft is working on developing an official security update to fix the flaw. For now, it has released a point-and-click Fixit tool that allows Windows users to disable the vulnerable component. Enabling this tweak may cause fonts in some applications to display improperly. If you experience problems after applying the Fixit solution, you can always undo it by clicking “disable” image in the Microsoft advisory and following the prompts.

Update, Nov. 10, 9:22 a.m. ET: As several readers have noted, installing this FixIt may cause Windows Update to repeatedly ask prompt you to install two particular updates: KB972270, and KB982132. Uninstalling the FixIt seems to stop these incessant prompts, although it leaves the vulnerable Windows component exposed.

17 thoughts on “Microsoft Issues Stopgap Fix for ‘Duqu’ Flaw

  1. A340-600

    Is it too late for the patch to be releases next Tuesday (Patch Tuesday)?

    1. Mike Mastela

      As the article states, it is a stopgap fix, or what was once called a hot fix, but it is not a patch and couldn’t be released next Tuesday; a fix and a patch while achieving the same end are not the same thing.

  2. eCurmudgeon

    According to the Microsoft Security Advisory, “Microsoft is investigating a vulnerability in a Microsoft Windows component, the Win32k TrueType font parsing engine. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.”

    This begs the question of WHY font rendering is taking place in kernel mode in the first place, rather than being delegated to user mode.

  3. Tim Cole

    I just got two MS monthly updates to run which came on Saturday instead of Tuesday. So, I checked the Microsoft Update site to see if they were legit and they were there too.
    I installed them from the site then went and turned automatic updates back on and it started installing them again and again. I finally went in and disabled that Fix-It 50792 by running Fix-it
    50793. That stopped the loop and it quit installing them. I guess that stopped them as when I went back to check MS Updates they were there and ready to install again. Those Fix-Its seem to cause issues every time there is one of them.

    1. PeterM

      Tim, my experience (XP SP3) was the same –after running the FixIt, two old updates (KB982132 – MS10-076 & KB972270 – MS10-001) kept re-installing until removed the FixIt.

    2. BrianKrebs Post author

      A bit late, I know, but Microsoft responded that this behavior is a known bug with this FixIt. No response about any intention to remedy the annoying update prompts. From their advisory:

      “Impact of Workaround. Applications that rely on embedded font technology will fail to display properly. Also, after applying this workaround, users of Windows XP and Windows Server 2003 may be reoffered the KB982132 and KB972270 security updates. These reoffered updates will fail to install. The reoffering is a detection logic issue and users who have successfully applied both the KB982132 and KB972270 security updates previously can ignore the reoffer. “

  4. Mark in Columbus

    Same loopy experience with the patches happened to me, too. Rather than remove the fixit, I first made sure–via “add and remove programs”–that these two ancient patches were, indeed, installed in my system. Once certain of that, I waited for the next update attempt, chose “custom install,” cancelled it and checked “do not remind me of these updates again” (or whatever it says). Thus, I still have the fixit and both patches working. And the yellow shield has vanished–at least until tomorrow.

  5. SFdude

    As “Mark in Columbus”
    points out (see post above),
    I did NOT uninstall the Duqu Fixit.
    (I STILL want to be protected by this Fixit…).

    When updating,
    I noted that I already had
    these 2 old MS patches:

    KB972270, and KB982132

    so I did NOT install them again.
    As Mark said, I marked them as:
    “do not remind me of these updates again”.

    Anyone else with news or opinions on
    this digital “deja vu” situation?

    – Anyone?
    – Brian?
    – Microsoft? (<== just kiddin', MS could care less…)

    1. Brian Krebs

      I put in a request to Microsoft for more information about this glitch. Will ask again today for an update. Will update you all if/when I hear back.

  6. SFdude

    Thanks Brian!

    waiting (with bated breath),
    before applying
    this month’s MS patches…

  7. SFdude


    1) I ENable the “Duqu Flaw” Fix-it: 50792.

    2) Call MS Updater…

    I mark as:
    “don’t show again…”
    the already installed, “old” patches:
    KB972270, and KB982132

    3) I do accept the other 4 “new”, valid KBs.
    But…all 4 “new” KBs refuse to install….fail!

    4) I DISable “Duqu Flaw” Fix-it: 50793 Grrrr!

    5) All 4 “new” KBs now install ok… (w/o the Fixit..).

    Well, the “Duqu Flaw” Fix-it is NOT installed now.

    How vulnerable is my system right now?
    Should I re-enable the Fix-it: 50792
    wait until the M$ overlords, include it in the December update?

    (Win XP-SP3 32 bit, here).

  8. anotheradmin

    Ok I also had the twin repeaters show up after the fixit….this problem is one of my 2003 servers….selected to ignore the 2 updates….to get another third update (kb961371)….this update fails because it conflicts with another “change for security”…

    which denies access to the t2embed.dll file to prevent exploitability…..

  9. Windchild

    Installing the FixIt will cause Windows Update to offer (and fail to install) those two old updates because the FixIt works by denying read access to the T2EMBED.DLL file, as it says in the advisory. Nothing really to worry about…

    Pretty nasty flaw, though. MS ought to patch it a lot quicker.

    1. anotheradmin

      I am wondering if disabling access to the file….will prevent future patches from updating it?
      Are we to re-enable access to the file to patch it? That could be a minor problem for a lot of pc’s….
      also just an fyi NESSUS does report this….as that is how I found it….for anyone close to audit time….:)

Comments are closed.