intended for State government entities. The information may or may not be applicable to the
general public and accordingly, the State does not warrant its use for any specific purposes.
OCS ADVISORY NUMBER:
2011-067
DATE(S) ISSUED:
11/4/2011
SUBJECT:
Vulnerability in Microsoft Windows Could Allow Remote Code Execution
A vulnerability has been discovered in Microsoft Windows Kernel-Mode Driver. Exploitation of this vulnerability could result in the escalation of privileges, the creation of denial-of-service conditions, or the execution of arbitrary code with kernel-level privileges resulting in full control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full system rights.
It should be noted that there is currently no patch available for this vulnerability and the vulnerability is being actively exploited on the Internet with malware known as Duqu.
SYSTEMS AFFECTED:
- Microsoft Windows XP
- Microsoft Vista
- Microsoft Windows 7
- Microsoft Windows Server 2003
- Microsoft Windows Server 2008
RISK:
Government:
- Large and medium government entities: High
- Small government entities: High
Businesses:
- Large and medium business entities: High
- Small business entities: High
Home users: High
DESCRIPTION:
A vulnerability has been discovered in Microsoft Windows Kernel-Mode Driver (win32k.sys) that could allow for privilege escalation, remote code execution, or denial-of-service. The win32k.sys driver is used by the Microsoft Windows Kernel to manage displays, collect device input, pass information to applications, and display font types. This vulnerability occurs due to the way the win32k.sys driver fails to properly interpret and display TrueType fonts. By default, all affected operating systems support the rendering of TrueType fonts.
An attacker could leverage this vulnerability by creating a specially crafted document and distributing it through e-mail or if a user visits or is redirected to a specially crafted webpage with an embedded TrueType font. Successful exploitation will allow attackers to run arbitrary code with kernel mode privileges. This could allow attackers to install programs; view, change, or delete data; or create new accounts with full user rights
It should be noted that there is currently no patch available for this vulnerability and the vulnerability is being actively exploited on the Internet with malware known as Duqu. A Microsoft Word document is the current delivery method used with Duqu.
RECOMMENDATIONS:
We recommend the following actions be taken:
- Follow the workarounds provided by Microsoft at http://support.microsoft.com/kb/2639658
- When available, apply the appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Remind users not to open e-mail attachments from unknown users or suspicious e-mails from trusted sources.
REFERENCES:
Microsoft:
http://technet.microsoft.com/en-us/security/advisory/2639658
http://support.microsoft.com/kb/2639658
Security Focus:
http://www.securityfocus.com/bid/50462/
Symantec:
http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit
http://www.symantec.com/connect/w32_duqu_precursor_next_stuxnet
Laboratory of Cryptography and System Security:
http://www.crysys.hu/
CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3402
Thomas D. Smith
Director
Cyber Security
- Cyber Security Home
- Awareness/Training/Events
- Incident Reporting
- Breach Notification
- Cyber Advisories
- NYS Digital Forensics
Work Group - Cyber Tips Newsletter
- Keeping Kids Safe Online
- Local Government
- Policies and Resources
- NY-ISAC Secure Portal
GIS
- GIS Home
- GIS Data
- Broadband Providers
- NYS Broadband Map
- Coordination Program
- Orthoimagery
- Outreach/Calendar
- Street Address Mapping (SAM)
- GIS Help Desk
