Microsoft Releases Critical Windows Security Update

Martin Brinkmann
Nov 4, 2011
Updated • Dec 16, 2014
Windows
|
11

Back in October a rootkit was discovered that exploits a critical security vulnerability in the Windows operating system. We covered a detection and removal tool two days ago that would scan a PC and remove any traces of the Duqu rootkit from a system.

Microsoft today has releases a security advisory to give customers "guidance for the Windows kernel issue related to the Duqu malware".

The advisory describes a vulnerability in TrueType font parsing that could allow elevation of privileges. Attackers who manage to exploit the vulnerability can run arbitrary code in kernel mode which would allow them to install programs, "view, change or delete data" and create new accounts with "full user rights".

Microsoft confirms that targeted attacks are carried out currently that use the vulnerability. The overall impact is however rated as low.

Microsoft is offering a manual workaround for affected versions of Windows on the security advisory page:

On Windows XP and Windows Server 2003:

For 32-bit systems, enter the following command at an administrative command prompt:

Echo y| cacls "%windir%\system32\t2embed.dll" /E /P everyone:N

For 64-bit systems, enter the following command from an administrative command prompt:

Echo y| cacls "%windir%\system32\t2embed.dll" /E /P everyone:N

Echo y| cacls "%windir%\syswow64\t2embed.dll" /E /P everyone:N

On Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2:

For 32-bit systems, enter the following command at an administrative command prompt:
Takeown.exe /f "%windir%\system32\t2embed.dll"

Icacls.exe "%windir%\system32\t2embed.dll" /deny everyone:(F)

For 64-bit systems, enter the following command at an administrative command prompt:

Takeown.exe /f "%windir%\system32\t2embed.dll"

Icacls.exe "%windir%\system32\t2embed.dll" /deny everyone:(F)

Takeown.exe /f "%windir%\syswow64\t2embed.dll"

Icacls.exe "%windir%\syswow64\t2embed.dll" /deny everyone:(F)

The workaround may impact applications that "rely on embedded font technologies".

The workaround can be undone again the following way:

On Windows XP and Windows Server 2003:

For 32-bit systems, enter the following command at an administrative command prompt:
cacls "%windir%\system32\t2embed.dll" /E /R everyone

For 64-bit systems, enter the following command at an administrative command prompt:
cacls "%windir%\system32\t2embed.dll" /E /R everyone

cacls "%windir%\syswow64\t2embed.dll" /E /R everyone

On Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2:

For 32-bit systems, enter the following command at an administrative command prompt:
Icacls.exe %WINDIR%\system32\t2embed.DLL /remove:d everyone

For 64-bit systems, enter the following command at an administrative command prompt:
Icacls.exe %WINDIR%\system32\t2embed.DLL /remove:d everyone

Icacls.exe %WINDIR%\syswow64\t2embed.DLL /remove:d everyone

Microsoft furthermore has released a fix it solution that users can run on their system to protect it from the security vulnerability

The fix it can be downloaded from the following Microsoft Knowledge Base article.

microsoft fix-it duqu rootkit

It is recommended to apply the workaround on computer systems until Microsoft releases a security patch that resolves the issue without side effects.

Please note that there is a fix-it for enabling and one for disabling the workaround.

Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Anonymous said on May 15, 2012 at 6:57 pm
    Reply

    Just FYI this “fix” will keep WSB from being able to complete a proper sysstate bkup. So you might want to adjust how you deny access.

  2. Mike Corbeil said on November 17, 2011 at 8:11 am
    Reply

    Martin,

    A question has come to mind. I think to use TrueType fonts, but am not absolutely sure of this and don’t really know how to check if TT fonts are what I’m using, or always using. Maybe some apps are installed and configured to use TT fonts, while others aren’t, and if this is possible, then …?

    Can you tell me how to check for this?

    I used primarily Linux from 1997 to 2005 and recall having specified or selected TT fonts when installing either Linux or some applications, maybe OpenOffice or a Web browser, f.e. But, I’m not sure if this was done with the XP SP3 system I’ve been using since last April and which I didn’t install; having bought the 2008 PC second-hand (used) with XP SP3 already installed only last April. If the option was ever presented in a dialogue for the installation of either some applications or Windows updates though, then I most probably selected TT fonts.

    I don’t really know what difference there is, but TrueType sounds like a name referring to better fonts, so it would be second-nature to select the option whenever it’s presented in a software installation process; for me, anyway. To do differently, I’ld have to learn, based on truthful info. and verifiability, that other fonts or font systems, whatever it is, are better. Until then, the word True in TrueType seems serious enough to me. If TT is True fonts or types of fonts, then why use others that’re of lesser quality? It’s my interpretation, which might be incorrect, but the logic is simple. Why use fonts of lower quality, when better is available; and at no greater cost to the user or anyone else?

    That’s as far as I’ve gone in learning about fonts, while there’s plenty more to learn about text formatting. Based on a few months of experience in 1990 working with TeX and LaTeX for converting documentation files on a VAX/VMS system to better and more flexible text formatting, there’s not a tremendous amount of science to this; but, while there definitely and nevertheless is more than what I presently know and recall.

    Anyway, thanks for your initial reply. And do you have any idea when MS will provide a Windows Update (WU) for correcting this problem? I quickly looked over the page at MS that you provided a link for and then went to the “more info” page, without noticing anything about when a real update will be provided. The pages seem to only say that MS is currently working with one or more other parties on trying to resolve this security issue in order to be able to eventually provide a corrective WU.

    Actually, I was just taking a moment to email a friend about this bug, say, and came to notice that the title for the article of this page is, “Microsoft Releases Critical Windows Security Update”, but didn’t see anything of Windows Update-likeness; only seeing that there’s an ACL-related command we’re supposed to be able to execute in a command-line or DOS box, and that MS is providing a temporary fix-it solution or work-around. Maybe MS calls such temporary solutions updates and I’m just not yet aware of this, yet.

    I have a CSC degree and nearly 10 years experience in industry, programming, et cetera, but by far most of the experience in industry was with UNIXes, and from april 1997 to 2007 it was mostly linux that I personally used. My MS knowledge isn’t novice, but also isn’t expert, either; unless we can say that I’m an expert-level novice. When comparing between novices, then I guess we could say that I’m an expert novice. :)

    That’s not funny at all, for me. Employers usually don’t seek novices of any level of expertise at being novices. :( or (: – (whatever)

    Thanks for your quick reply.

    1. Martin Brinkmann said on November 17, 2011 at 10:15 am
      Reply

      I’m not a big fan of Wikipedia but you the True Type article is quite good: http://en.wikipedia.org/wiki/TrueType

      “TrueType is an outline font standard originally developed by Apple Computer in the late 1980s as a competitor to Adobe’s Type 1 fonts used in PostScript. TrueType has become the most common format for fonts on both the Mac OS and Microsoft Windows operating systems”

  3. Mike Corbeil said on November 16, 2011 at 10:12 am
    Reply

    Quote : “Echo y| cacls “%windir%\system32\t2embed.dll” /E /P everyone:N “:

    I got an error message with that command on my XP SP3 32-bit system. The message is in French, since the OS is intalled in Fr., but refers to a mappage and account usernames or names, adding that the security IDs weren’t applied or weren’t applicable, I specified nothing more than the commands that you provided; simply highlighting and copying, and then pasting into the DOS command-line box. So, I didn’t add any usernames to the command; only using what you provided.

    Do you know why this is happening, whether it should, or not, and if there’s a solution to this?

    1. Martin Brinkmann said on November 16, 2011 at 11:17 am
      Reply

      Well did you open an administrative command prompt?

      1. Mike Corbeil said on November 17, 2011 at 6:28 am
        Reply

        Martin wrote : “Well did you open an administrative command prompt?”.

        Basically, yes; I think anyway. Though not logged in with the system Administrator account, I was logged in as a user with admin. privilege(s).
        And I always use the same account for doing things that require executing the processes with admin. privileges.

  4. Stanislav Bauman said on November 5, 2011 at 6:35 pm
    Reply

    Great, but is this protection 100% safe?

  5. Paul(us) said on November 4, 2011 at 9:53 pm
    Reply

    Great articel, super easy to read. Thanks a mill. Martin.

  6. Meena Bassem said on November 4, 2011 at 6:15 pm
    Reply

    thanks man. i did that, but you forgot to say that users shouldn’t copy and paste unless they change the quotes. the quotes from this site won’t work with the command. you need to change them
    anyway, thanks again bro :D

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.