Friday, November 4, 2011

Emergency security workaround from Microsoft

Kudos to Redmond for a quick turnaround mitigating a Day Zero bug being exploited to install malware:

Microsoft has issued a temporary fix for a critical Windows vulnerability that has already been exploited to install highly sophisticated malware that targeted manufacturers of industrial systems.

In an advisory issued late Thursday, Microsoft said the previously unknown flaw in the Win32k TrueType font-parsing engine affected every supported version of Windows, including Windows 7 and Windows Server 2008, which are the most secure to date. The critical vulnerability was recently exploited to spread Duqu, malware that some researchers say was derived from last year's Stuxnet worm that sabotaged Iran's uranium enrichment program.
All Windows versions are vulnerable, and this new attack is no joke.  Here's what you do:

On Windows XP and Windows Server 2003:
  • For 32-bit systems, enter the following command at an administrative command prompt:Echo y| cacls "%windir%\system32\t2embed.dll" /E /P everyone:N
  • For 64-bit systems, enter the following command from an administrative command prompt:Echo y| cacls "%windir%\system32\t2embed.dll" /E /P everyone:N
    Echo y| cacls "%windir%\syswow64\t2embed.dll" /E /P everyone:N
On Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2:
  • For 32-bit systems, enter the following command at an administrative command prompt:Takeown.exe /f "%windir%\system32\t2embed.dll"
    Icacls.exe "%windir%\system32\t2embed.dll" /deny everyone:(F)
  • For 64-bit systems, enter the following command at an administrative command prompt:Takeown.exe /f "%windir%\system32\t2embed.dll"
    Icacls.exe "%windir%\system32\t2embed.dll" /deny everyone:(F)
    Takeown.exe /f "%windir%\syswow64\t2embed.dll"
    Icacls.exe "%windir%\syswow64\t2embed.dll" /deny everyone:(F)
You should be able to copy and paste the command into a command shell window.

A patch is coming, but this will keep you protected until then.

10 comments:

NotClauswitz said...

I do that and (what I absolutely hate about Windows) get an error message: The current logged-on user does not have ownership privileges om the file or folder "C:Windows\syswow64\t2embed.dll".
But I am and I do.

Borepatch said...

Weird. I'd think booting into Safe Mode (ugh) would let you do this.

Or "sudo takeown ...."

;-)

Jake (formerly Riposte3) said...

Thanks for posting this! I just emailed our IT guy just in case he hadn't seen it yet, and I guess I'll run those commands on my new Win7 computer tonight.

I've actually had a couple of emails at work that - on first glance - looked to be legitimately from a client. I know enough to take a close look at any attachment if I'm not specifically expecting something, but I can't guarantee that anyone else in the office does (and there are a couple I'm pretty sure don't.

NotClauswitz said...

I can't even get my box (win7pro 64bit sp1) to boot to safe mode!
Tried "Power Shell" and it failed too...

kx59 said...

Thanks for the heads up BP!
The devil is in the details. I went to looky at the linky thing "Here's how you do it."
-found an important detail: "Impact of Workaround. Applications that rely on embedded font technology will fail to display properly.
How to undo the workaround."
so you might want to crib "how to undo the workaround" under "suggested actions / work arounds" and save it to a text file for easy reference after the path comes out.
Just in case something goes wonky with your fonts.

Rick C said...

Dirtcrashr, run your command prompt as administrator and you'll be able to do the takeown.

Anonymous said...

If you type cmd.exe at the Win7 "search programs and files" prompt, then instead of hitting enter, hit ctrl+shift+enter it will pop up the "are you sure you want to mess with this" admin prompt.

Anonymous said...

Way better explanation - Hokey Win7 sudo for dummies

Anonymous said...

I AM the Administrator of my domain... :-)

Anonymous said...

Thank-you Anonymous for: If you type cmd.exe at the Win7 "search programs and files" prompt, then instead of hitting enter, hit ctrl+shift+enter it will pop up the "are you sure you want to mess with this" admin prompt.
That worked!
I'm gonna have to remember the ctrl+shift+enter bit...