Microsoft Security Advisory (2639658)

ronjor · Nov 3, 2011

Published: Thursday, November 03, 2011

Version: 1.0

General Information

Executive Summary

Microsoft is investigating a vulnerability in a Microsoft Windows component, the Win32k TrueType font parsing engine. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time. This vulnerability is related to the Duqu malware.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.
Click to expand...

http://technet.microsoft.com/en-us/security/advisory/2639658

Cudni · Nov 3, 2011

That is a nasty bug (to allow such potential for damage). Sooner it is fixed the better

ronjor · Nov 3, 2011

Fixit link. http://support.microsoft.com/kb/2639658

siljaline · Nov 4, 2011

Thanks for this, Ron

xxJackxx · Nov 4, 2011

Any thoughts on the odds of actually encountering this? I hate having to go around and run these fix-its on a dozen machines when a patch will be coming... sometime.

ronjor · Nov 4, 2011

The bulletin mentions targeted attacks but low impact so far. I suppose if your machines are backed up and you do encounter the malware, you could restore backups.

If you do decide to use the fixit, save the disable fixit in case you need it later.

siljaline · Nov 8, 2011

Most AV Vendors are now offering full protection from all known variants.

An out-of-band patch from Microsoft will not be forthcoming on Patch Tuesday, November 8 !!

It has become known in the security community the MS Fix It 50792 Live Link re-enables the following two MS KB's to be offered via Windows Update that date to late last year, as follows: http://support.microsoft.com/?kbid=982132 & http://support.microsoft.com/?kbid=972270

The general consensus is to disable the MS Fix It Live Link Reboot your PC, proceed with Windows Update as you normally would and re-implement the Fix It if you so choose to do so after you have successfully completed updating your operating system.

ronjor · Nov 5, 2011

Bulletin revised.

* Microsoft Security Advisory (2639658 )
- Title: Vulnerability in TrueType Font Parsing Could Allow
Elevation of Privilege
- http://technet.microsoft.com/security/advisory/2639658
- Revision Note: V1.2 (November 4, 2011): Revised the workaround,
Deny access to T2EMBED.DLL, to improve support for non-English
versions of Windows Vista, Windows Server 2008, Windows 7, and
Windows Server 2008 R2. Customers with non-English versions of
Microsoft Windows should reevaluate the applicability of the
revised workaround for their environment.
Click to expand...

elapsed · Nov 5, 2011

xxJackxx said:

Any thoughts on the odds of actually encountering this? I hate having to go around and run these fix-its on a dozen machines when a patch will be coming... sometime.
Click to expand...

I wouldn't bother, as stated it's pretty widely detected. MS have pushed out important individual updates in the past during the last week of the month, it's possible they will do so in november.

HarderMechanicalEW · Nov 7, 2011

I read that most security vendors already detect and block the main Duqu files. Has ESET addressed these files?

MrBrian · Nov 7, 2011

Microsoft sloppy on Duqu workaround

siljaline · Nov 8, 2011

ESET currently offers fulls protection from all known variants of Duqu You may also run this query

HarderMechanicalEW said:

I read that most security vendors already detect and block the main Duqu files. Has ESET addressed these files?
Click to expand...

siljaline · Nov 8, 2011

Thread bump.

Microsoft PC Safety are available 24 hours for US and Canadian users at 1-866-727-2338

Page42 · Dec 5, 2011

ronjor said:

Fixit link. http://support.microsoft.com/kb/2639658
Click to expand...

Thanks for the Fixit link, Ron.
I'm a little late to the party, but I did just apply the fix.
Now I gotta remember to disable the fix before the next MS Updates.

Page42 · Jan 12, 2012

Page42 said:

Now I gotta remember to disable the fix before the next MS Updates.
Click to expand...

FWIW, I had to disable the Fixit in order to stop MS from continually offering two updates to me (KB982132 & KB972270).
Prior to running the disabling fixit (50793), MS would continuously say,

This update has already been downloaded to your computer but if you select it, it will finish installing (recommended).
Click to expand...

MS reportedly has already noted this...

Impact of Workaround. Applications that rely on embedded font technology will fail to display properly. Also, after applying this workaround, users of Windows XP and Windows Server 2003 may be reoffered the KB982132 and KB972270 security updates. These reoffered updates will fail to install. The reoffering is a detection logic issue and users who have successfully applied both the KB982132 and KB972270 security updates previously can ignore the reoffer.
Click to expand...

All well and good, but I have read one blogger who states,

Uninstalling the FixIt seems to stop these incessant prompts, although it leaves the vulnerable Windows component exposed.
Click to expand...

Sigh.
From what I gather, the Fixit is best either left in place (with the continual offering of the two Updates taking place), or removed to allow the updates to install, and then enabled once again.

Log in or Sign up

Microsoft Security Advisory (2639658)

ronjor Global Moderator

Cudni Global Moderator

ronjor Global Moderator

siljaline Registered Member

xxJackxx Registered Member

ronjor Global Moderator

siljaline Registered Member

ronjor Global Moderator

elapsed Registered Member

HarderMechanicalEW Registered Member

MrBrian Registered Member

siljaline Registered Member

siljaline Registered Member

Page42 Registered Member

Page42 Registered Member

Log in or Sign up

Microsoft Security Advisory (2639658)

ronjor Global Moderator

Cudni Global Moderator

ronjor Global Moderator

siljaline Registered Member

xxJackxx Registered Member

ronjor Global Moderator

siljaline Registered Member

ronjor Global Moderator

elapsed Registered Member

HarderMechanicalEW Registered Member

MrBrian Registered Member

siljaline Registered Member

siljaline Registered Member

Page42 Registered Member

Page42 Registered Member

Useful Searches