Duqu Malware TrueType Font Parsing Vulnerability

Microsoft is mum on the permanent fix to a recent zero-day vulnerability exploiting the True Type Font Parsing Engine. The zero-day, Duqu Malware True Type Font Parsing vulnerability could allow execution of an arbitrary code at the kernel-mode level, which in itself is problematic. At kernel level, such an exploit, would give an attacker full administrative rights and allow the ability to install programs, manipulate data (i.e. collect, view, change or delete) and create or add new accounts with full user's rights.

Duqu Malware was first discovered in October 2011 at the Budapest University of Technology and Economics cryptography and system security lab (CrySys). Security researchers who analyzed Duqu samples noted similarities to the Stuxnet worm, a highly dangerous infection that infiltrated installations of Iranian nuclear.

The vulnerable embedded .dll file, T2embed.dll, if exploited and opened, executes a Trojan. While Microsoft has issued a temporary fix by disabling the troubled file, there remains a drawback. Word and Excel are not the only user of this embedded file and thus disabling it impedes the use of other programs, for instance Adobe Acrobat Reader, and keeps them altogether from using embedded fonts.

Depending on the exploiter or creator of the Trojan will determine the malicious intent or payload. It is also reported that the Trojan downloaded as a courtesy of the Duqu 'True Type Font Parsing' vulnerability intends to steal digital certificates, which could be used to fool anti-virus or security programs into believing malware programs as legitimate.

Sadly, Microsoft products remain the biggest target of malware and just last month, the same True Type parsing engine required a patch to avoid being exploited and causing DoS attacks, as well as a similar concern last year in June 2010. Records show Microsoft has patched more than 56 kernel vulnerabilities since February 2011 mainly due to an ancient NT 3.x/4.x design.

If you do not have stealth anti-malware protection in place, a hacker could be in the background quietly using your system resources to launch a DNS attack; or a mass email spam campaign; or a hacker could be on the receiving end of the data the Trojan collected and sent to a remote server; or that a Trojan keylogger captured from web-based forms of a financial nature.

Manual removal is not impossible but, if you are not highly skilled in identifying and editing key files, you could cause major damage to your hard drive. For this reasoning, security experts suggest relying on a reputable and professional anti-malware tool known to remove viruses in these key areas safely.