Tuesday, 29 November 2011

A simple test ensures the Duqu workaround is working

As I've written about in my previous two postings, the Duqu malware/trojan exploits a bug in Windows TrueType font rendering to install itself. A very serious bug too, one that gives malicious software free rein to do anything it wants.
Microsoft is working on a fix, and in the meantime has offered a workaround that blocks access to the buggy software (the T2embed.dll file). All Windows users should install the workaround either by issuing commands from a DOS prompt or by downloading and running a Fix It program from Microsoft.
But how do you know that the workaround is doing its job?
I recently griped about some sloppiness in the Microsoft Security advisory (2639658). Since then, the advisory has been updated twice, the most change being yesterday, November 11th. 


Michael Horowitz on Duqu
  • Microsoft sloppy on Duqu workaround
  • Why Duqu is more dangerous than most people think
  • A simple test insures the Duqu workaround is working
However, neither update to the advisory addressed the issue of insuring or testing that the workaround is working.
I'm glad to report that there is a simple test.
Jerry Bryant, group manager of Microsoft's Trustworthy Computing branch suggests viewing this font embedding demo web page using Internet Explorer.

The page starts off by displaying an envelope as shown below.

The important issue is the font used on the address.
Below is a closer image of the address displayed by Internet Explorer 8 on a vulnerable Windows XP SP3 system.
If you see a font like this, your Windows computer is rendering embedded TrueType fonts and thus is vulnerable to infection by any software knowledgeable and malicious enough to exploit the bug.

After installing the temporary workaround using Microsoft's Fix It tool, the font looks very different as shown below.

If this is how Internet Explorer displays the font on your computer, you are safe. That is, it shows that access to the font parsing routine, T2embed.dll, was blocked.
I verified this twice, on a 32 bit Windows XP system running as an admin user and on a 64 bit Windows 7 system running as a restricted user.
Bryant also pointed out* that "Any browser that relies on the kernel to parse embedded TrueType fonts may be affected by this issue."
Since kernel rendering of TrueType fonts is not something browser vendors frequently discuss, I also tested Firefox 8 and Chrome 15 on vunlerable instances of Windows 7 and XP.
Neither browser rendered the embedded True Type font.

To be clear, this simply means that the system can not be infected viewing a malicious web page in Firefox or Chrome. However, a Windows computer without the workaround, can still be infected by other software, such as a malicous Word document or Powerpoint presentation.
So, please install the workaround and nag your friends too also. 

*I did not speak with Bryant directly. Microsoft's PR firm forwarded emails between us. 

No comments:

Post a Comment