Microsoft today has releases a security advisory to give customers “guidance for the Windows kernel issue related to the Duqu malware”.

The advisory describes a vulnerability in TrueType font parsing that could allow elevation of privileges. Attackers who manage to exploit the vulnerability can run arbitrary code in kernel mode which would allow them to install programs, “view, change or delete data” and create new accounts with “full user rights”.

Microsoft confirms that targeted attacks are carried out currently that use the vulnerability. The overall impact is however rated as low.

Microsoft is offering a manual workaround for affected versions of Windows on the security advisory page:

On Windows XP and Windows Server 2003:

For 32-bit systems, enter the following command at an administrative command prompt:

Echo y| cacls “%windir%\system32\t2embed.dll” /E /P everyone:N

For 64-bit systems, enter the following command from an administrative command prompt:

Echo y| cacls “%windir%\system32\t2embed.dll” /E /P everyone:N

Echo y| cacls “%windir%\syswow64\t2embed.dll” /E /P everyone:N

On Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2:

For 32-bit systems, enter the following command at an administrative command prompt:
Takeown.exe /f “%windir%\system32\t2embed.dll”

Icacls.exe “%windir%\system32\t2embed.dll” /deny everyone:(F)

For 64-bit systems, enter the following command at an administrative command prompt:
Takeown.exe /f “%windir%\system32\t2embed.dll”

Icacls.exe “%windir%\system32\t2embed.dll” /deny everyone:(F)

Takeown.exe /f “%windir%\syswow64\t2embed.dll”

Icacls.exe “%windir%\syswow64\t2embed.dll” /deny everyone:(F)

The workaround may impact applications that “rely on embedded font technologies”.

The workaround can be undone again the following way:

On Windows XP and Windows Server 2003:

For 32-bit systems, enter the following command at an administrative command prompt:
cacls “%windir%\system32\t2embed.dll” /E /R everyone

For 64-bit systems, enter the following command at an administrative command prompt:
cacls “%windir%\system32\t2embed.dll” /E /R everyone

cacls “%windir%\syswow64\t2embed.dll” /E /R everyone

On Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2:

For 32-bit systems, enter the following command at an administrative command prompt:
Icacls.exe %WINDIR%\system32\t2embed.DLL /remove:d everyone

For 64-bit systems, enter the following command at an administrative command prompt:
Icacls.exe %WINDIR%\system32\t2embed.DLL /remove:d everyone

Icacls.exe %WINDIR%\syswow64\t2embed.DLL /remove:d everyone

Microsoft furthermore has released a fix it solution that users can run on their system to protect it from the security vulnerability

The fix it can be downloaded from the following Microsoft Knowledge Base article.

It is recommended to apply the workaround on computer systems until Microsoft releases a security patch that resolves the issue without side effects.

Please note that there is a fix-it for enabling and one for disabling the workaround.

The security vulnerability affects only Windows XP and Windows Server 2003 systems. Computer systems running Windows Vista, Windows Server 2008 or Windows 7 are not affected because “the ability to pass data to this control within Internet Explorer” is restricted in these operating systems.

A successful attack will give the attacker the same user rights as the currently logged in user. Microsoft has issued a workaround for the Internet Explorer vulnerability that can be applied manually or using Microsoft Fix It.

The fastest way to patch the security vulnerability is to use the Microsoft Fix It script that will perform all the actions of the workaround automatically. The fix will basically remove support for the ActiveX Control in Internet Explorer. This should not have any impact on the web browser’s functionality according to Microsoft.