Check Point Protects Networks Against Vulnerability Being Exploited by the Duqu Malware
( Microsoft Security Advisory 2639658, CVE-2011-3402 )
Summary
A vulnerability in the Microsoft Windows TrueType font parsing engine can be exploited by convincing a targeted user to open a maliciously crafted Word document, which can allow an attacker to execute code on the affected system. This vulnerability is being exploited in the wild by the Duqu malware. The Check Point IPS Software Blade protects networks against this issue in the latest IPS update.
Details
This vulnerability is due to improper bounds checking when parsing TrueType font (TTF) files. A remote attacker may exploit this vulnerability by enticing an affected user to open a maliciously crafted TTF file. Successful exploitation of this vulnerability may allow execution of arbitrary code in kernel mode on a targeted system, and/or lead to a local elevation of privilege condition.
Affected Products
This issue affects the following versions of Windows:
- Windows XP SP3 and XP Professional x64 Edition SP2
- Windows Server 2003 SP2 and x64 Edition SP2
- Windows Server 2003 with SP2 for Itanium-based Systems
- Windows Vista Service Pack 2 and x64 Edition SP2
- Windows Server 2008 for 32-bit Systems SP2
- Windows Server 2008 for x64-based Systems SP2
- Windows Server 2008 for Itanium-based Systems SP2
- Windows 7 for 32-bit Systems - original release and SP1
- Windows 7 for x64-based Systems - original release and SP1
- Windows Server 2008 R2 for x64-based Systems - original release and SP1
- Windows Server 2008 R2 for Itanium-based Systems - original release and SP1
Solution
As of November 7, 2011, Microsoft has not released a patch for this issue. The Check Point IPS Software Blade provides immediate network protection against this vulnerability in the latest IPS update, by detecting and blocking attempts to transfer malicious TrueType fonts over HTTP. For more details, see CPAI-2011-512.
Originally Published:
Last Updated: 07-Nov-2011