A new vulnerability in Windows, CVE -2011-3402, has been
recently identified and is already exploited in the wild. For now, only a
handful of targeted attacks have been found. The vulnerability exists in
Windows TrueType Font Parsing Engine and affects most Windows versions,
including Windows 7. An attack involves a file which has a maliciously crafted
TrueType font file (TTF) embedded in it. There are several file formats that
use TrueType fonts, for example, file formats of Microsoft Office and Adobe
Acrobat Reader. In the currently known targeted attacks, a Microsoft Word
document was used. Once rendered on a vulnerable system, parsing the TTF file
may end up with execution of malicious code. Microsoft has released an advisory
for this issue and also released a FixIt tool as a workaround. It disables access
to the system file T2embed.dll in order to avoid TrueType font processing.
However, a word of caution: Applications that use these fonts may break after
this workaround is deployed.
In the known attacks, the installed malware is known as Duqu.
The Laboratory of Cryptography and System Security (CrySyS) at Budapest University
first reported these attacks and they were thoroughly investigated by that team
and by Symantec in the following article.
M86 Security Secure Web Gateway (SWG) can be deployed with
three possible antivirus scanners and they already released protection: Kaspersky,
McAfee and Sophos. No additional Security Update by M86 Security is required. In addition, we are
investigating adding more layers of protection in the future. Keep in mind,
these attacks currently are not delivered via web browser but that can obviously change
in the future.
We will continue to monitor the situation and update this blog post as necessary.