Michael Horowitz

Why Duqu is more dangerous than most people think

November 09, 2011 10:15 PM EST
I don't care who wrote the Duqu virus/trojan.
I don't care if it's related to Stuxnet or not.
I don't care who or what the target of Duqu was.

As a Windows user, what I care most about, is that Duqu exploited a previously unknown bug in Windows regarding TrueType font parsing.

Microsoft says the threat from Duqu is limited. To me, that's too narrow a scope. To me, the issue is not Duqu itself but the TrueType font parsing bug in Windows that it exploited.

The people behind Duqu could exploit this as-yet-unpatched bug again with different software. And the people who wrote Duqu may not be the only humans on the planet who found this new bug in Windows.

Although the bug is not yet fixed, there is a workaround from Microsoft that prevents access to the buggy code. Although I griped about the workaround last time, it's very important that Windows users install it.

Very important.

All the articles I read about Duqu referred to a malicious Word document. But the bug is not in Word, it's in Windows. Version 1.2 of Microsoft's advisory (dated November 4th) clearly stated in the FAQ section that a malicious web page could also be used to exploit the bug.

One of my gripes was that the Mitigating Factors section of the advisory only referred to Word documents. This was an oversight by Microsoft. As of November 8th (version 1.3), the Mitigating Factors section has been revised to include the fact that Windows users are "vulnerable to exploitation of this vulnerability through the Web-based attack scenario."

In simpler words, all that's needed to get infected is viewing a malicious web page with an embedded TrueType font. No email. No Word. No attachments.

That's why installing the workaround from Microsoft, available in Fix It form, is a really good idea.
Web pages are formatted using HTML and, so too, are most email messages. This raises another question: can Windows users get infected viewing a malicious HTML formatted email message that contains an embedded TrueType font?

Regarding their own email software, Microsoft says in the advisory
By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone, which disables font download by default.

I know people using Outlook 2003. Is that still considered supported? Does my email program, Thunderbird, support embedded TrueType fonts? Are web based email systems vulnerable?

Even in the best case, when using safe email software (that is, software that does not support embedded TrueType fonts), a Windows user can still be infected by clicking a link in an email message that opens a malicious web page.

That, in turn, raises the question of which browsers support embedded TrueType fonts.

I don't want to go there and you probably don't want to either. After all, it's likely that software other than Word, email and browsers support embedded TrueType fonts. Very likely PDFs do. 

Install the workaround. It's the Defensive Computing thing to do.

Update November 12, 2011:  My next blog posting describes a simple test that insures the Duqu workaround is, in fact, working.