Date: 04 November 2011
References: ESB-2011.1235.2 ESB-2012.0444 ESB-2012.0540
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.1106
Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege
4 November 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Windows TrueType font parsing engine
Publisher: Microsoft
Operating System: Windows XP
Windows Vista
Windows 7
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Impact/Access: Administrator Compromise -- Remote with User Interaction
Resolution: Mitigation
CVE Names: CVE-2011-3402
Original Bulletin:
http://technet.microsoft.com/en-us/security/advisory/2639658
Comment: This vulnerability is related to the Duqu malware.
- --------------------------BEGIN INCLUDED TEXT--------------------
Microsoft Security Advisory (2639658)
Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege
Published: Thursday, November 03, 2011 | Updated: Thursday, November
03, 2011
Version: 1.1
General Information
Executive Summary
Microsoft is investigating a vulnerability in a Microsoft Windows
component, the Win32k TrueType font parsing engine. An attacker who
successfully exploited this vulnerability could run arbitrary code in
kernel mode. The attacker could then install programs; view, change, or
delete data; or create new accounts with full user rights. We are aware
of targeted attacks that try to use the reported vulnerability;
overall, we see low customer impact at this time. This vulnerability is
related to the Duqu malware.
Upon completion of this investigation, Microsoft will take the
appropriate action to help protect our customers. This may include
providing a security update through our monthly release process or
providing an out-of-cycle security update, depending on customer needs.
Mitigating Factors
* The vulnerability cannot be exploited automatically through e-mail.
For an attack to be successful, a user must open an attachment that
is sent in an e-mail message.
Affected Software
This advisory discusses the following software.
Affected Software
Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Suggested Actions
Workarounds
* Deny access to T2EMBED.DLL
Note For this workaround, including the automated Microsoft Fix it
solution, commands may only work in English language versions.
Note See Microsoft Knowledge Base Article 2639658 to use the
automated Microsoft Fix it solution to enable or disable this
workaround to deny access to t2embed.dll.
On Windows XP and Windows Server 2003:
+ For 32-bit systems, enter the following command at an
administrative command prompt:
Echo y| cacls "%windir%\system32\t2embed.dll" /E /P everyone:N
+ For 64-bit systems, enter the following command from an
administrative command prompt:
Echo y| cacls "%windir%\system32\t2embed.dll" /E /P everyone:N
Echo y| cacls "%windir%\syswow64\t2embed.dll" /E /P everyone:N
On Windows Vista, Windows 7, Windows Server 2008, and Windows
Server 2008 R2:
+ For 32-bit systems, enter the following command at an
administrative command prompt:
Takeown.exe /f "%windir%\system32\t2embed.dll"
Icacls.exe "%windir%\system32\t2embed.dll" /deny everyone:(F)
+ For 64-bit systems, enter the following command at an
administrative command prompt:
Takeown.exe /f "%windir%\system32\t2embed.dll"
Icacls.exe "%windir%\system32\t2embed.dll" /deny everyone:(F)
Takeown.exe /f "%windir%\syswow64\t2embed.dll"
Icacls.exe "%windir%\syswow64\t2embed.dll" /deny everyone:(F)
Impact of Workaround. Applications that rely on embedded font
technology will fail to display properly.
How to undo the workaround.
On Windows XP and Windows Server 2003:
+ For 32-bit systems, enter the following command at an
administrative command prompt:
cacls "%windir%\system32\t2embed.dll" /E /R everyone
+ For 64-bit systems, enter the following command at an
administrative command prompt:
cacls "%windir%\system32\t2embed.dll" /E /R everyone
cacls "%windir%\syswow64\t2embed.dll" /E /R everyone
On Windows Vista, Windows 7, Windows Server 2008, and Windows
Server 2008 R2:
+ For 32-bit systems, enter the following command at an
administrative command prompt:
Icacls.exe %WINDIR%\system32\t2embed.DLL /remove:d everyone
+ For 64-bit systems, enter the following command at an
administrative command prompt:
Icacls.exe %WINDIR%\system32\t2embed.DLL /remove:d everyone
Icacls.exe %WINDIR%\syswow64\t2embed.DLL /remove:d everyone
Acknowledgments
Microsoft thanks the following for working with us to help protect
customers:
* Symantec and the Laboratory of Cryptography and System Security
(CrySyS) for working with us on the TrueType Font Parsing
Vulnerability (CVE-2011-3402)
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTrOF6u4yVqjM2NGpAQIoqA/7BEMXMlOMy0tJsK//xTHbEhFKnnNwldCd
/+0rP4xVofx/xi8btMd0WwnQN6tYLEywgKWcIUF6D4FOUOkjWXGbgGn7FN78jkyN
ZpL8DIzMn0ehqvTGYCGmMr4hZrkbinKx6HadOzxEr4RdunKIiAxve91zqambKGJf
BNQ3yOTCMjiL/7uFjurpTi3rJ2A0d8u+1kXsJBvvMve+7gUoDYxX81O/twOLrEDE
TJacjDjrV0VwFwcu24oiVtRfAV+z7tfNcUoM8gcMy6Z3hPENHFg401rUUY31sFzL
d3Ha2a8njss1U/IYw1X2unsi+4oy4ukcQIGJgeQDOWlS9k3Xk4IKHD8LH3VFaOM/
TZpWqqh0CKJaLQZZSGA9cOwBUH9dh3ZkUUgOrRTBlUn/sQR4nn4qiY3xgUaUEWRq
kQiTmB/MY/K12opGNxOSQfBMket1ILp2XSTl0G2bSajb8A48VvettFvDs/I9WWlo
brcLLxCicvWZF5ZzB5sqVJexb8OwSONjkS0yih4IabfTvQJXtELrU9F1qR1kmtk3
PYamsb1F0Ty69ZDgmVIP9d09m46NTp6l9yeB8OIwfYdY/K2yEaRSSRp3tPVMhxdJ
6rFB03qR78nftN/U9Zsaxr6AORBODa5E37tEFbTSFsWjV5SINwRkQpqbVSJHwbTA
cyoak+1dYnA=
=zgtZ
-----END PGP SIGNATURE-----
|