Protection against Duqu malware

A new vulnerability in Windows has been recently identified and is already exploited in the wild. For now, only a handful of targeted attacks have been found. The vulnerability exists in Windows TrueType Font Parsing Engine and affects most Windows versions, including Windows 7.

An attack involves a file which has a maliciously crafted TrueType font file (TTF) embedded in it. There are several file formats that use TrueType fonts, for example, file formats of Microsoft Office and Adobe Acrobat Reader.

In the currently known targeted attacks, a Microsoft Word document was used. Once rendered on a vulnerable system, parsing the TTF file may end up with execution of malicious code.

Microsoft has released an advisory for this issue and also released a FixIt tool as a workaround. It disables access to the system file T2embed.dll in order to avoid TrueType font processing. However, a word of caution: Applications that use these fonts may break after this workaround is deployed.

In the known attacks, the installed malware is known as Duqu. The Laboratory of Cryptography and System Security (CrySyS) at Budapest University first reported these attacks and they were thoroughly investigated by that team and by Symantec.

Author: Bradley Anstis, VP Technical Strategy at M86 Security.