| By Robert Vamosi |
A new Microsoft Fix it addresses the underlying vulnerability exploited by a new virus — but the fix also causes problems.
Although we’d ordinarily jump on a needed malware remedy, in this case we’re probably better off waiting for the full patch, expected soon.
The double nature of the Stuxnet infection
In the summer of 2010, Windows systems in Iran and other countries were infected by zero-day malware. The infection took advantage of a flaw in the Windows icon used to represent a remote or removable drive, such as a USB flash drive. The virus had two purposes: to infest Windows-based machines and to infect Siemens Systems 7 Program Logic Controllers (Ars Technica story) — used in the centrifuges that make up a key element of Iran’s nuclear program.
The design and execution of the Stuxnet virus were targeted to affect a very specific type of industrial control system equipment (detailed in a Symantec Executive Summary PDF document). And many people within the antivirus community thought it was unique — the first time a Windows vulnerablity was used to bootstrap a vulnerability in a PCL. Then, just as everyone was completing their forensic analysis of Stuxnet, came word of Duqu.
Duqu: All in the family or a copycat?
In October 2011, the Laboratory of Cryptography and System Security (CrySyS, a Hungarian security company) reported a new computer virus that was strikingly similar to Stuxnet. Duqu (so named for the letters DQ, which it adds to files it creates) shares some of the original source code used in Stuxnet. Which raises the question: Was Duqu built by the same people who built Stuxnet? Or was it a successful copy?
Duqu seems to have a different purpose than Stuxnet. Instead of having a malicious payload targeting PCL systems, Duqu collects information and then broadcasts it to remote sites. (Some were located in India and have been shut down.) Like Stuxnet, Duqu also seemed to target the industrial control systems sector. Duqu is prevalent mostly in Europe, the Middle East, and Asia. To see whether your system is vulnerable to Duqu, you can obtain a free Duqu detector from CrySyS.
TrueType zero-day exploit travels via Word
Like Stuxnet, Duqu uses a newly discovered (zero-day) vulnerability — CVE-2011-3402 — in the Windows Win32k TrueType font-parsing engine. The flaw, located in the t2embed.dll file, affects Windows XP, Windows 7, Windows Vista, and Windows Server 2003 and 2008. (Windows Server 2008 R2 for Itanium-based systems and Itanium-based Systems Service Pack 1 Server Core installation are not affected.)
On Nov. 3, Microsoft released Security Advisory 2639658, stating that an attacker could “run arbitrary code in kernel mode” if it exploited this TrueType vulnerability. Duqu spreads through a compromised Word file sent to targeted individuals. Microsoft said the attacker who exploited this could “install programs; view, change, or delete data; or create new accounts with full user rights.” In other words, a typical elevation-of-privileges attack. The company went on to say that it sees “low customer impact at this time” because of the targeted nature of Duqu (although some security experts believe Duqu to be potentially very dangerous).
No Microsoft patch is available (yet)
Microsoft has yet to issue a patch for this zero-day vulnerability. Instead, it provided a Fix it (download page), a temporary workaround designed to protect the user until a more permanent solution can be found. The workaround denies access to t2embed.dll, causing the Duqu exploit to fail. But the Duqu Fix it also has an odd characteristic: it prompts Windows XP users to download two older Microsoft patches, MS10-001 (KB 972270) and MS10-076 (KB 982132) — patches most XP users have presumably already installed.