The Duqu malware/trojan exploits a bug in Windows TrueType font rendering to install itself. A very serious bug too, one that gives malicious software free reign to to anything it wants.
Microsoft is working on a fix, and in the meantime has offered a workaround that blocks access to the buggy software (the T2embed.dll file). All Windows users should install the workaround either by issuing commands from a DOS prompt or by downloading and running a Fix It program from Microsoft.
But how do you know that the workaround is doing it's job?
I recently griped about some sloppiness in the Microsoft Security advisory (2639658). Since then,
the advisory has been updated twice, the most change being yesterday, November 11th.
However, neither update to the advisory addressed the issue of insuring or testing that the workaround is working.
I'm glad to report that there is a simple test.
Jerry Bryant, group manager of Microsoft's Trustworthy Computing branch suggests viewing this
font embedding demo web page using Internet Explorer.
The page starts off by displaying an envelope as shown below.
The important issue is the font used on the address.
Below is a closer image of the address displayed by Internet Explorer 8 on a vulnerable Windows XP SP3 system.
If you see a font like this, your Windows computer is rendering embedded TrueType fonts and thus is vulnerable to infection by any software knowledgeable and malicious enough to exploit the bug.
After installing the temporary workaround using
Microsoft's Fix It tool, the font looks very different as shown below.
If this is how Internet Explorer displays the font on your computer,
you are safe.
I verified this twice, on a 32 bit Windows XP system running as an admin user and on a 64 bit Windows 7 system running as a restricted user.
Mr. Bryant also pointed out that "Any browser that relies on the kernel to parse embedded TrueType fonts may be affected by this issue."
Since kernel rendering of TrueType fonts is not something browser vendors frequently discuss, I also tested Firefox 8 and Chrome 15 on vunlerable instances of Windows 7 and XP.
Neither browser rendered the embedded True Type font.
To be clear, this simply means that the system can not be infected viewing a malicious web page in Firefox or Chrome. However, a Windows computer without the workaround, can still be infected by other software, such as a malicous Word document or Powerpoint presentation.
So, please install the workaround and nag your friends too also.To enable or disable this fixit solution, click the
Fix it button or link under the
Enable heading or under the
Disable heading. Click
Run in the
File Download dialog box, and then follow the steps in the Fix it wizard.
Note: Save As is also an option.
Notes• These wizards may be in English only. However, the automatic fixes also work for other language versions of Windows.
• If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or to a CD, and then you can run it on the computer that has the problem.
Known issues with this workaround• After you apply this workaround on a system that is running Windows XP or Windows Server 2003, you may be reoffered security updates 982132 and 972270. You will be unable to install these reoffered updates. The reoffering is a detection logic issue. Users who have previously applied both security updates successfully can ignore the reoffer.
