Microsoft Releases Critical Windows Security Update

Windows users take heed; this one looks like a very important security update … for a change.

Back in October a rootkit was discovered that exploits a critical security vulnerability in the Windows operating system. We covered a detection and removal tool two days ago that would scan a PC and remove any traces of the Duqu rootkit from a system.

Microsoft today has releases a security advisory to give customers “guidance for the Windows kernel issue related to the Duqu malware”.

The advisory describes a vulnerability in TrueType font parsing that could allow elevation of privileges. Attackers who manage to exploit the vulnerability can run arbitrary code in kernel mode which would allow them to install programs, “view, change or delete data” and create new accounts with “full user rights”.

Microsoft confirms that targeted attacks are carried out currently that use the vulnerability. The overall impact is however rated as low.

Microsoft is offering a manual workaround for affected versions of Windows on the security advisory page:

On Windows XP and Windows Server 2003:

For 32-bit systems, enter the following command at an administrative command prompt:

Echo y| cacls “%windir%\system32\t2embed.dll” /E /P everyone:N

For 64-bit systems, enter the following command from an administrative command prompt:

Echo y| cacls “%windir%\system32\t2embed.dll” /E /P everyone:N

Echo y| cacls “%windir%\syswow64\t2embed.dll” /E /P everyone:N

On Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2:

For 32-bit systems, enter the following command at an administrative command prompt:
Takeown.exe /f “%windir%\system32\t2embed.dll”

Icacls.exe “%windir%\system32\t2embed.dll” /deny everyone:(F)

For 64-bit systems, enter the following command at an administrative command prompt:
Takeown.exe /f “%windir%\system32\t2embed.dll”

Icacls.exe “%windir%\system32\t2embed.dll” /deny everyone:(F)

Takeown.exe /f “%windir%\syswow64\t2embed.dll”

Icacls.exe “%windir%\syswow64\t2embed.dll” /deny everyone:(F)

The workaround may impact applications that “rely on embedded font technologies”.

The workaround can be undone again the following way:

On Windows XP and Windows Server 2003:

For 32-bit systems, enter the following command at an administrative command prompt:
cacls “%windir%\system32\t2embed.dll” /E /R everyone

For 64-bit systems, enter the following command at an administrative command prompt:
cacls “%windir%\system32\t2embed.dll” /E /R everyone

cacls “%windir%\syswow64\t2embed.dll” /E /R everyone

On Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2:

For 32-bit systems, enter the following command at an administrative command prompt:
Icacls.exe %WINDIR%\system32\t2embed.DLL /remove:d everyone

For 64-bit systems, enter the following command at an administrative command prompt:
Icacls.exe %WINDIR%\system32\t2embed.DLL /remove:d everyone

Icacls.exe %WINDIR%\syswow64\t2embed.DLL /remove:d everyone

Microsoft furthermore has released a fix it solution that users can run on their system to protect it from the security vulnerability

The fix it can be downloaded from the following Microsoft Knowledge Base article.

microsoft fix-it duqu rootkit

It is recommended to apply the workaround on computer systems until Microsoft releases a security patch that resolves the issue without side effects.

Please note that there is a fix-it for enabling and one for disabling the workaround.


© Martin Brinkmann for gHacks Technology News | Latest Tech News, Software And Tutorials, 2011. | Permalink |
Add to del.icio.us, digg, facebook, reddit, twitter
Post tags: , , , ,

Link to Original Content

Tags: , , , ,

Comments are closed.