OCS ADVISORY NUMBER:
2011-067 - Updated

DATE(S) ISSUED:
11/4/2011
12/13/2011 - UPDATED

SUBJECT:
Vulnerability in Microsoft Windows Could Allow Remote Code Execution

ORIGINAL OVERVIEW:

A vulnerability has been discovered in Microsoft Windows Kernel-Mode Driver. Exploitation of this vulnerability could result in the escalation of privileges, the creation of denial-of-service conditions, or the execution of arbitrary code with kernel-level privileges resulting in full control of the affected system.  An attacker could then install programs; view, change, or delete data; or create new accounts with full system rights.

December 13 - UPDATED OVERVIEW:
Microsoft has released a patch for this vulnerability in bulletin MS11-087

SYSTEMS AFFECTED:

• Microsoft Windows XP
• Microsoft Vista
• Microsoft Windows 7
• Microsoft Windows Server 2003
• Microsoft Windows Server 2008

RISK:
Government:

• Large and medium government entities: High
• Small government entities: High

Businesses:

• Large and medium business entities: High
• Small business entities: High

Home users: High

ORIGINAL DESCRIPTION:
A vulnerability has been discovered in Microsoft Windows Kernel-Mode Driver (win32k.sys) that could allow for privilege escalation, remote code execution, or denial-of-service.  The win32k.sys driver is used by the Microsoft Windows Kernel to manage displays, collect device input, pass information to applications, and display font types.  This vulnerability occurs due to the way the win32k.sys driver fails to properly interpret and display TrueType fonts. By default, all affected operating systems support the rendering of TrueType fonts.

An attacker could leverage this vulnerability by creating a specially crafted document and distributing it through e-mail or if a user visits or is redirected to a specially crafted webpage with an embedded TrueType font. Successful exploitation will allow attackers to run arbitrary code with kernel mode privileges. This could allow attackers to install programs; view, change, or delete data; or create new accounts with full user rights

December 13 - UPDATED DESCRIPTION:
Microsoft has released a patch for this vulnerability in bulletin MS11-087

RECOMMENDATIONS:
We recommend the following actions be taken:

• Follow the workarounds provided by Microsoft at http://support.microsoft.com/kb/2639658
• When available, apply the appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
• Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
• Remind users not to open e-mail attachments from unknown users or suspicious e-mails from trusted sources. 

December 13 - UPDATED RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.

ORIGINAL REFERENCES:
Microsoft:
http://technet.microsoft.com/en-us/security/advisory/2639658
http://support.microsoft.com/kb/2639658

Security Focus:
http://www.securityfocus.com/bid/50462/

Symantec:
http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit
http://www.symantec.com/connect/w32_duqu_precursor_next_stuxnet

Laboratory of Cryptography and System Security:
http://www.crysys.hu/

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3402

December 13 - UPDATED REFERENCES:
Microsoft:
http://technet.microsoft.com/en-us/security/bulletin/ms11-087
http://blogs.technet.com/b/srd/archive/2011/12/13/more-information-on-ms11-087.aspx