Friday, November 04, 2011

Microsoft Fix it for Duqu Malware, Security Advisory 2639658

Microsoft released Security Advisory 2639658 which relates to a Windows kernel issue related to the Duqu malware, a trojan that injects malicious code into other processes.

As illustrated in the image below of the Duqu infection schematics, provided by Symantec in Duqu: Status Updates Including Installer with Zero-Day Exploit Found,  once infected, the trojan can then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft is aware of targeted attacks that try to use the reported vulnerability and reports that at this time they see "low customer impact". Work continues to provide a security update for the vulnerability, either via an out-of-band update or during the regular monthly release process.  An update is not expected to be ready for delivery with the scheduled November update.

Microsoft Fix it

As an interim work-around, Microsoft has provided a Microsoft Fix it solution to simplify the work-around for workaround to deny access to t2embed.dll. 

The Fix it solution is available from Microsoft KB Article 2639658, with direct links to the download files to enable and disable the solution below.

Fix this problem
Microsoft Fix it 50792
Fix this problem
      Microsoft Fix it 50793


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Brian (AKA The Dean) said...

Great info, Corrine. One quick observation. After I used the first fixit (to disable t2embed.dll) I repeatedly started receiving two Windows Security Updates. The updates would install, but continue to appear as being available. While the update history showed them as installed, they were not shown in Add/Remove programs (XP) at least not as installed today. I must have installed them four times.

Then I tried the second fixit (re-enabling t2embed.dll). The Security Updates no longer appear as being needed.

Just an FYI in case others experience the same issue.

Brian Fiori

Corrine said...

Thank you for the report, Brian. In checking, it appears that you re not alone.

Others have reported having Microsoft updates KB 972270 (MS10-001: Vulnerability in the Embedded OpenType Font Engine could allow remote code execution) and KB 982132 (MS10-076: Vulnerability in the Embedded OpenType Font Engine could allow remote code execution) repeatedly re-offered after enabling the Microsoft Fix it.

Since both updates are already installed, you could enable the Fix it and hide the updates when offered again.

Select the update and then right-click the update and click "Hide Update." Repeat for the second update.

ky331 said...

Like other users, I have experienced and can confirm a direct cause/effect correlation between applying Microsoft Fix-it 50792, and Windows Update then finding a need to reinstall Security Bulletins MS10-001 and MS10-076 [at least, on XP-SP3 systems].

However, upon hiding these 2 updates, Windows then "digs back" even further, asserting the need to install Microsoft Security Bulletin MS09-029 - Critical
Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution. (This update failed to install.) Hiding this one as well finally "tricks" Windows in believing that I'm up to date.

Corrine said...

Thank you for the additional information, ky331.

Each of those updates relate to the same dll so the update mechanism must be confused on XP systems since the Fix it is changing permissions for t2embed.dll restricting access to "everyone".

Since Microsoft provided security vendors with the information to add definitions to their products and stated "the risk for customers remains low", I don't think it is that serious an issue if the Fix it isn't enabled.

That said, if the Fix it is enabled, be sure to disable it when an update is released for this Security Advisory.

Anonymous said...

IMO:A FixIt that creates repeated errors in Microsoft Update is worse than no fix at all.

It would be better to limit the access rights of Authenticated Users to Read.